Although we have multiple threads related to this topic, none are useful and confusing for newbies like me.
I have multiple Cisco devices (Routers, ASA firewall, ACS server) and all are sending syslog info directly to Splunk.
I'd really feel grateful if anybody can give step by step recommendation on how to view them separately?.
I am confused especially when the sourcetype and source are showing cisco:asa for all the devices that is being searched (say for example, i m looking logs for SMTP relay and it is showing sourcetype as ASA)
Please help me friends!
This is most likely because all of your devices are sending to the UDP input on the Splunk server, and you have that UDP input configured as cisco:asa. There are a few options to change this:
1) Create different UDP inputs for each device type:
UDP/514 = cisco:asa
UDP/515 = cisco:ios
UDP/515 = cisco:acs
UDP/516 = myunixsyslogfeeds
2) Alternatively, you can configure props and transforms to assign the sourcetype based on a match against the host content.
See this article for more information : http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Advancedsourcetypeoverrides
If you do either of the above, then at search time you can specifcy sourcetype=cisco:asa or sourcetype=cisco:acs etc.
Or even better, install the technology addons for Cisco ASA and ACS, most of it works just fine out of the box 🙂
If you're using a distributed environment, install them on your forwarders.
https://apps.splunk.com/app/1620/
https://apps.splunk.com/app/1811/
@esix_splunk : OK, 1st option is good but still I would like to choose second option:
The document says:
Create a stanza in transforms.conf that follows this syntax:
[] - my value here is cisco_acs & SMTP
REGEX = -
FORMAT = sourcetype:: -
DEST_KEY = MetaData:Sourcetype
Could you please decode the above stanza for cisco acs and SMTP relay logs?
You'd be better to start a new thread and ask the community for help in that manner.
Also, look at the Cisco IOS and ASA TA's that have all the extractions in place. You most likely can find the solution there.
in search and repporting app
build 3 search:
1 with source=first source file who is in your index and save it like eventype Routers
index=my_index source=first_source_name
2 index=my_index source=second_source_name
save it like eventype asa_firewall
3index=my_index source=third_source_name
save it like eventype acs_server