I've configured Splunk to forward data to a third party system we use.
I can see on the packet captures that the traffic is being sent to the host, however, I am seeing more data than I would like going to this host. I would only like our ASA traffic to go to this host, however, I am seeing all sorts of data being sent. I was not expecting this based on the following configuration files:
[syslog] defaultGroup = syslog_out [syslog:syslog_out] server=188.8.131.52:514 type=udp priority = NO_PRI
[syslog_routing] REGEX="^[^\%]+\%ASA" DEST_KEY=_SYSLOG_ROUTING FORMAT=syslog_out
N.B: the regex is there as I thought it might be an issue with just using "
." for the "cisco_asa" sourcetype (not that it should matter).
I've clearly missed something here, so any help would be grateful.
try to step back to a more basic setup like in the docs and change it to match the examples. Try it with
host::1* for example, instead of of source type.
hope this helps ...
cheers, MuS 🙂