Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding to syslog stream

MHibbin
Influencer
‎10-28-2013 04:05 AM

Hi,

I've configured Splunk to forward data to a third party system we use.

I can see on the packet captures that the traffic is being sent to the host, however, I am seeing more data than I would like going to this host. I would only like our ASA traffic to go to this host, however, I am seeing all sorts of data being sent. I was not expecting this based on the following configuration files:

outputs.conf -

[syslog]
defaultGroup = syslog_out

[syslog:syslog_out]
server=1.2.3.4:514
type=udp
priority = NO_PRI

props.conf - 

[cisco_asa]
TRANSFORMS-routing=syslog_routing

transforms.conf

[syslog_routing]
REGEX="^[^\%]+\%ASA"
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_out

N.B: the regex is there as I thought it might be an issue with just using "." for the "cisco_asa" sourcetype (not that it should matter).

I've clearly missed something here, so any help would be grateful.

Thanks,

mhibbin

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

datasearchninja
Communicator
‎10-28-2013 06:16 AM

Don't set the defaultGroup parameter. You only want to send syslog when the transform matches.

View solution in original post

Reply
Solved! Jump to solution
Solution

datasearchninja
Communicator
‎10-28-2013 06:16 AM

Don't set the defaultGroup parameter. You only want to send syslog when the transform matches.

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-28-2013 05:49 AM

Hi MHibbin

try to step back to a more basic setup like in the docs and change it to match the examples. Try it with host::1* for example, instead of of source type.

hope this helps ...

cheers, MuS 🙂

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...