Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Starlette
Contributor
‎03-28-2010 02:59 PM

Hai There,

I am dealing with a forwarder to indexer which is reading a kiwi directory with several types of devices. Mainly Cisco router/swithes ASA's and Cisco FW modules, also some other stuff. Events are flowing in with sourcetype as the orig filename.

I extacted the hosts with hostoverides, and overided some sourcetypes ( asa, pix etc)

Question is :

What is Field extracted for syslog and Cisco_syslog, I am now using overiding in index time but looks like I am re-ineventing the wheel for syslog (cisco)syslog) Are those default extractions somewhere in the install?

Cheers Dutchy

Tags (1)
Reply

Starlette
Contributor
‎03-29-2010 04:27 PM

Hai BunnyHop,

Thanks,

For somme reason I overlooked this DIR, now it make sense that there are no extractions for Cisco ( exept in the security ap) Cisco_syslog is using :

[syslog-extractions] REGEX = \s([^\s[]+)(?:[(\d+)])?:\s FORMAT = process::$1 pid::$2

Thats it,,,I am already using the security app for asa and FWSM, but have to reinent the wheel for router/switch logs can you share what you have sofar btw? thanks, Dutchy

0 Karma
Reply

BunnyHop
Contributor
‎03-29-2010 02:57 PM

You will find the extractions that the Cisco_Syslog sourcetype is using on the default folder:

%SPLUNK%\etc\system\default\

files are props.conf and transforms.conf

These are basis extractions. There are Cisco apps that does additional extractions, but it will probably be compatible with the newer devices, rather than the older ones. So if you have PIX, that app won't help you.

http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

I have created my own inline extractions using regex. If you want to do the same, you would create them on the local folder. The settings in this folder takes precedence over the default.

%SPLUNK%\etc\system\local\

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...