Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Starlette
Contributor
‎03-28-2010 02:59 PM

Hai There,

I am dealing with a forwarder to indexer which is reading a kiwi directory with several types of devices. Mainly Cisco router/swithes ASA's and Cisco FW modules, also some other stuff. Events are flowing in with sourcetype as the orig filename.

I extacted the hosts with hostoverides, and overided some sourcetypes ( asa, pix etc)

Question is :

What is Field extracted for syslog and Cisco_syslog, I am now using overiding in index time but looks like I am re-ineventing the wheel for syslog (cisco)syslog) Are those default extractions somewhere in the install?

Cheers Dutchy

Tags (1)
Reply

Starlette
Contributor
‎03-29-2010 04:27 PM

Hai BunnyHop,

Thanks,

For somme reason I overlooked this DIR, now it make sense that there are no extractions for Cisco ( exept in the security ap) Cisco_syslog is using :

[syslog-extractions] REGEX = \s([^\s[]+)(?:[(\d+)])?:\s FORMAT = process::$1 pid::$2

Thats it,,,I am already using the security app for asa and FWSM, but have to reinent the wheel for router/switch logs can you share what you have sofar btw? thanks, Dutchy

0 Karma
Reply

BunnyHop
Contributor
‎03-29-2010 02:57 PM

You will find the extractions that the Cisco_Syslog sourcetype is using on the default folder:

%SPLUNK%\etc\system\default\

files are props.conf and transforms.conf

These are basis extractions. There are Cisco apps that does additional extractions, but it will probably be compatible with the newer devices, rather than the older ones. So if you have PIX, that app won't help you.

http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

I have created my own inline extractions using regex. If you want to do the same, you would create them on the local folder. The settings in this folder takes precedence over the default.

%SPLUNK%\etc\system\local\

Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...