Hi all,
I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)
It looks like this stanza in the transforms.conf will be the issue
[cisco_firewall_hostoverride] DEST_KEY = MetaData:Host REGEX = \S+\t\S+\s(.*)\t+ FORMAT = host::$1
However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.
View source from splunk shows:
Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....
Is anyone else doing the same thing, and if so, how did you fix it? 🙂
Thanks!
EDIT:
Right, after some brain-ache, I found that I can fix this by editing:
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf
And appending syslog-host on the end of the first transforms line, eg:
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host
There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.
Do I need to add a one-liner in the local folder in a new props.conf?
ie: TRANSFORMS-syslog-host
Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.
[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host
You can always remove the ones you don't want it to call as well.
Why not put the props entry in
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/local/props.conf so it isn't overwritten after upgrade.
[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host
You can always remove the ones you don't want it to call as well.
Many thanks! Much appreciated. 🙂
Yes - local always overrides default.
Yes you can put in a blank stanza if needed
Docs explain who wins here ->
http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Wheretofindtheconfigurationfiles
Thanks, that sounds like it'll work better! If there is a duplicate entry in the local folder, I take it that overrides the default one?
How do I effectively "remove" an entire stanza in the "local" version of the file by the way? just add a blank stanza by the same name or something?
Just noticed that this ASA app has a catch all transform for cisco, which could be problematic!
[force_sourcetype_for_cisco_catchall]
DEST_KEY = MetaData:Sourcetype
REGEX = :\s\%((SNMP|CDP|FAN|LINE|LINEPROTO|RTD|SYS|C\d+_[^-]+)-\d+-\S+)
FORMAT = sourcetype::cisco
That's not really an exhaustive list so you can end up with split sourcetype for cisco kit... I've commented that out for now, but as above... if there's a more elegant way to override this, I'd appreciate some advice.