- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guys,
I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data.
In a very simple way, let me explain what I need done.
Problem: I have Cisco ASA Logs sent to this syslog-ng server.
I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed:
ASA-6-302016
ASA-6-302015
ASA-7-609001
ASA-7-609002
ASA-6-302013
ASA-6-302014
ASA-6-302020
ASA-6-302021
ASA-6-305012
ASA-6-305011
Everything else other than this I would like to index to a certain specified index.
Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed.
The documentation is a little tricky for me to understand so maybe an example will make me understand better.
Appreciate any help you can provide.
Thanks.
Brian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[yoursourcetype]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or - better yet, why not save yourself the unnecessary log traffic and load on the ASA anyway and just turn those message numbers off at the source.
ex>
asa-firewall# conf t
asa-firewall(conf)# no logging message 302016
asa-firewall(conf)# no logging message 302015
etc.
-Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf
[yoursourcetype]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, once again this forum code is a pita and takes a single \ as a special char.
it should be
%ASA-(\w+-)?[67]-(code|code|code|code)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your regex will fail with the 8.4+ ASA (need to verify actual revs), it comes in with %ASA-session- in it,
see http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change
so you you might modify the regex to be
%ASA-(session-)?[67]-(code|code|code|code)
or
%ASA-(\w+-)?[67]-(code|code|code|code)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
glad to help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anything guys?
