The syslog messages we receive from the firewall have multiple formats. A limited sample is listed below

Apr 30 15:26:20 147.81.86.22 %ASA-4-313004: Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 147.81.104.109: no matching session
Apr 29 13:39:31 147.81.86.22 %ASA-6-605004: Login denied from 72.81.224.40/63508 to inside:72.81.86.22/ssh for user "dstrollo"
Apr 28 13:58:47 147.81.37.241 %ASA-3-710003: TCP access denied by ACL from 45.64.188.70/48986 to Internet:72.83.128.9/23

Our requirement is to be able to extract all the fields in these messages for our analysts.

My question is whether the configuration below will work. If it doesn't it may mess up the existing index. Any advice will be much appreciated.

In props.conf, I set up a basic search to extract the syslog message in each record. The results are listed below

Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 147.81.104.109: no matching session
Login denied from 72.81.224.40/63508 to inside:72.81.86.22/ssh for user "dstrollo"
TCP access denied by ACL from 45.64.188.70/48986 to Internet:72.83.128.9/23

The props.conf is listed below

[syslog]

-------

NO_BINARY_CHECK = 1
pulldown_type = 1
BREAK_ONLY_BEFORE_DATE = false
TIME_PREFIX = ^

%Y = year, %m = month, %d = day, %H = hour, %M = minute, %S = seconds, %z = time zone offset

example = 2015-03-25T16:22:01-04:00

the - ( in -4:00 => %z ) is part of the timezone specification (UTC-04:00 versus UTC+04:00)

TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
EXTRACT-syslog = \s(?[^\s]+)\s(?[^:]+:)\s(?.+)

Then I use different transforms to process each message type separately at search time

In props.conf

[syslog]
....
EXTRACT-syslog = "as above"
REPORT-SyslogMsg = SyslogMsg1, SyslogMsg2, SyslogMsg3

In trasnforms.conf

[SyslogMsg1]
REGEX = "extract fields in Msg1"

SyslogMsg2
REGEX = "extract fields in Msg2"

SyslogMsg3
REGEX = "extract fields in Msg3"

Thank you.