Getting Data In
Highlighted

How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Explorer

Hi,

I have cisco ASA and cisco ISE syslogs coming to splunk on udp1026 port. I would like to differentiate the sourcetype and index for both.

Cisco ASA logs source type has to be changed as cisco:asa and moved to an index called cisco_asa.

Cisco ISE logs source type has to be changed to cisco:ise:syslog and moved to an index called cisco_ise.

Please help to build the props and transforms for the above.

Regards
Sajin

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Motivator

Hello! You can do it using splunk Web, or the splunk CLI, or by editing your props.conf. Just read this: http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports
Thanks

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Explorer

The above url shows how to get data into splunk which is already done. The data is currently coming as source=udp1026 and sourcetype=syslog.

What I require is:
1. Sourcetype for Cisco ASA logs to be changed to cisco:asa and moved to an index ciscoasa.
2. Sourcetype for Cisco ISE logs to be changed to cisco:ise:syslog and moved to an index cisco
ise

Regards
Sajin

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Motivator

ok. I understand.
The acceptFrom = < parameter> in your inputs.conf, let you list a set of networks or addresses to accept connections from.

  • Each rule can be in the following forms:
  • 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
  • 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
  • 3. A DNS name, possibly with a '' used as a wildcard (examples:"myhost.example.com", ".splunk.com")

Means, if you exactly know which machine is sending cisco ASA syslog, you could be able to do something like this:

[udp://<remote server>:<port>]
acceptFrom =10.1.2.3
sourcetype = cisco:asa
index = cisco_asa
source=udp1026 

.......

Do the same for your Cisco ISE logs
Thanks

Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Esteemed Legend

If the answer given by @stephanefosto doesn't work (and I expect it won't but I give him karma for a clever option to try), then you will have to either give up your goal to have each in a separate index or on your goal to have them both come to the same port. If you go with the latter, then do just as @stepanefosto said, but have 2 different ports. If you go with the former, then you can do a sourcetype override like this:

In transforms.conf:

[set_sourcetype_cisco_asa]
REGEX = YOUR REGEX HERE maybe something like (?:10.0.1.21|10.0.1.23)
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype

[set_sourcetype_cisco_ise]
REGEX = YOUR REGEX HERE maybe something like (?:10.0.1.21|10.0.1.23)
FORMAT = sourcetype::cisco:ise
DEST_KEY = MetaData:Sourcetype

In props.conf:

[source::udp:1026]
TRANSFORMS-cisco_sourcetype_overrides = set_sourcetype_cisco_asa set_sourcetype_cisco_ise

You will have to deploy these files to your indexers (or heavy forwarder) and it will NOT change anything that is already in Splunk.

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Explorer

I was also thinking to do the below.

[setsourcetypeciscoasa]
SOURCEKEY = MetaData:Host
REGEX = ^host::192.168.1.251$
FORMAT = sourcetype::cisco:asa
DEST
KEY = MetaData:Sourcetype

[setsourcetypeciscoise]
SOURCEKEY = MetaData:Host
REGEX = ^host::192.168.1.250$
FORMAT = sourcetype::cisco:ise:syslog
DEST
KEY = MetaData:Sourcetype

[source::udp:1026]
TRANSFORMS-setsourcetypesonicwall = setsourcetypeciscoasa setsourcetypeciscoise

But still how do I move it to a different index.

I will try the first option given by @stephanefotso and if that doesn' help, will look at the later.

Will update you all today.

Regards
Sajin

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Esteemed Legend

Re-read my answer; it is a COMPLETE answer. If suggestion by @stephanefotso does not work, then it is NOT POSSIBLE unless you split ports and put one on 1026 and the other on another port. Then you will have 2 entries in inputs.conf and each one will have a different index= line

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Esteemed Legend

So did anything work out?

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Explorer

I did not try editing anything in the props and transforms. I have used splunk add on for Cisco ASA, splunk add on for Cisco ISE and Cisco Network Add on. After that I changed the configuration in the data inputs page in splunk. Have created udp inputs with specific ip address and syslog ports and manually defined the source type. It has translated the source type for all the events to cisco:asa, cisco:ise:syslog and cisco:ios respectively and I am able to get the cisco apps working fine.

Please let me know if there will be any operational impact or technical difficulty in implementing the Splunk ES with this kind of data input configurations.

Thanks a lot for the suggestions.

Regards
sajin

0 Karma
Highlighted

Re: How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

Esteemed Legend

OK,, so you used the split-port solution. The TAs should use the sourcetype as the basis for almost everything so as long as you are keeping with the naming conventions that they used, you should be fine. Please "Accept" an answer to close off this question.

0 Karma