Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Starlette
Contributor
‎03-28-2010 02:59 PM

Hai There,

I am dealing with a forwarder to indexer which is reading a kiwi directory with several types of devices. Mainly Cisco router/swithes ASA's and Cisco FW modules, also some other stuff. Events are flowing in with sourcetype as the orig filename.

I extacted the hosts with hostoverides, and overided some sourcetypes ( asa, pix etc)

Question is :

What is Field extracted for syslog and Cisco_syslog, I am now using overiding in index time but looks like I am re-ineventing the wheel for syslog (cisco)syslog) Are those default extractions somewhere in the install?

Cheers Dutchy

Tags (1)
Reply

Starlette
Contributor
‎03-29-2010 04:27 PM

Hai BunnyHop,

Thanks,

For somme reason I overlooked this DIR, now it make sense that there are no extractions for Cisco ( exept in the security ap) Cisco_syslog is using :

[syslog-extractions] REGEX = \s([^\s[]+)(?:[(\d+)])?:\s FORMAT = process::$1 pid::$2

Thats it,,,I am already using the security app for asa and FWSM, but have to reinent the wheel for router/switch logs can you share what you have sofar btw? thanks, Dutchy

0 Karma
Reply

BunnyHop
Contributor
‎03-29-2010 02:57 PM

You will find the extractions that the Cisco_Syslog sourcetype is using on the default folder:

%SPLUNK%\etc\system\default\

files are props.conf and transforms.conf

These are basis extractions. There are Cisco apps that does additional extractions, but it will probably be compatible with the newer devices, rather than the older ones. So if you have PIX, that app won't help you.

http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

I have created my own inline extractions using regex. If you want to do the same, you would create them on the local folder. The settings in this folder takes precedence over the default.

%SPLUNK%\etc\system\local\

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...