Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure a Heavy Forwarder to forward a subset of Cisco ASA events to Indexers, while sending ALL events to external syslog servers?

mackermann
Engager
‎01-12-2017 08:18 AM

Running 6.5.0.

Attempting to use a Heavy Forwarder to forward a subset of cisco:ASA events to Splunk indexers, while sending ALL events to external syslog Servers. The filter to the indexers works, but unable to get ALL events to forward to the syslog servers. Have tried many combinations and permutations in the involved .conf files, but current configs are shown below. The effect should be that only one ASA-6 log level message is sent to the indexers, while ALL log level 6 messages are sent to the syslog servers. Only the 725003 log level 6 message is being sent to the syslog servers.

IN PROPS.CONF

[cisco:asa]
TRANSFORMS-asa = cisco_asa_elim_specific_msg_id, cisco_asa_indexers, cisco_asa_syslog_routing
#

IN TRANSFORMS.CONF

[cisco_asa_elim_specific_msg_id]
REGEX = .*?(ASA-4-419002):.*
#  REGEX = .
  DEST_KEY = queue
   FORMAT = nullQueue
#
#
## Keep requied Log levels and message ids and send to splunk indexes
[cisco_asa_indexers]
REGEX = ((ASA-2|ASA-3|ASA-4|ASA-1|ASA-5|ASA-6-725003))
   DEST_KEY = queue
   FORMAT = indexQueue
#
## route  all events  to other servers
[cisco_asa_syslog_routing]
REGEX = .
  DEST_KEY = _SYSLOG_ROUTING
   FORMAT = syslogServer1, syslogServer2
Reply

bloehr_splunk
Splunk Employee
Splunk Employee
‎05-24-2017 02:38 PM

When you do this you need to place the broadest transforms statement first in your props.

props.conf:
[cisco:asa]
TRANSFORMS-ASA6=ASA4,ASA1,ASA6

transforms.conf
[ASA6]
REGEX = ASA-6-725003
DEST_KEY = _TCP_ROUTING
FORMAT = test1,test2

[ASA1]
REGEX = ASA-[6]-*
DEST_KEY=_TCP_ROUTING
FORMAT=test2

[ASA4]
REGEX = ASA-[1|2|3|4|5]
DEST_KEY = _TCP_ROUTING
FORMAT = test1,test2

Since we are filtering on ASA 6 data we want to list the transform statement that is for the broadest range so in the example we want to list ASA1 before ASA6. ASA 4 Can be listed at any point. This is because splunk is setting flags on the data and by doing the narrow first than the broad the broad is over writing the flag on the narrow. So all data flow to ASA1 instead of the intended target.

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...