Getting Data In

Need help filtering Cisco ASA Logs at index time.

balbano
Contributor

Hey Guys,

I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data.

In a very simple way, let me explain what I need done.

Problem: I have Cisco ASA Logs sent to this syslog-ng server.

I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed:

ASA-6-302016
ASA-6-302015
ASA-7-609001
ASA-7-609002
ASA-6-302013
ASA-6-302014
ASA-6-302020
ASA-6-302021
ASA-6-305012
ASA-6-305011

Everything else other than this I would like to index to a certain specified index.

Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed.

The documentation is a little tricky for me to understand so maybe an example will make me understand better.

Appreciate any help you can provide.

Thanks.

Brian

1 Solution

jbsplunk
Splunk Employee
Splunk Employee
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue

View solution in original post

chris_moody
Engager

or - better yet, why not save yourself the unnecessary log traffic and load on the ASA anyway and just turn those message numbers off at the source.

ex>
asa-firewall# conf t

asa-firewall(conf)# no logging message 302016

asa-firewall(conf)# no logging message 302015

etc.

-Chris

jbsplunk
Splunk Employee
Splunk Employee
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue

cvajs
Contributor

sorry, once again this forum code is a pita and takes a single \ as a special char.

it should be
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma

cvajs
Contributor

your regex will fail with the 8.4+ ASA (need to verify actual revs), it comes in with %ASA-session- in it,
see http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change

so you you might modify the regex to be
%ASA-(session-)?[67]-(code|code|code|code)
or
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

glad to help!

0 Karma

balbano
Contributor

Thank You!!!

0 Karma

balbano
Contributor

Anything guys?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...