Getting Data In
Highlighted

Forwarding to syslog stream

Influencer

Hi,

I've configured Splunk to forward data to a third party system we use.

I can see on the packet captures that the traffic is being sent to the host, however, I am seeing more data than I would like going to this host. I would only like our ASA traffic to go to this host, however, I am seeing all sorts of data being sent. I was not expecting this based on the following configuration files:

outputs.conf -

[syslog]
defaultGroup = syslog_out

[syslog:syslog_out]
server=1.2.3.4:514
type=udp
priority = NO_PRI

props.conf -

[cisco_asa]
TRANSFORMS-routing=syslog_routing

transforms.conf

[syslog_routing]
REGEX="^[^\%]+\%ASA"
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_out

N.B: the regex is there as I thought it might be an issue with just using "." for the "cisco_asa" sourcetype (not that it should matter).

I've clearly missed something here, so any help would be grateful.

Thanks,

mhibbin

0 Karma
Highlighted

Re: Forwarding to syslog stream

SplunkTrust
SplunkTrust

Hi MHibbin

try to step back to a more basic setup like in the docs and change it to match the examples. Try it with host::1* for example, instead of of source type.

hope this helps ...

cheers, MuS 🙂

Highlighted

Re: Forwarding to syslog stream

Communicator

Don't set the defaultGroup parameter. You only want to send syslog when the transform matches.

View solution in original post