Getting Data In

Need help filtering Cisco ASA Logs at index time.

Contributor

Hey Guys,

I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data.

In a very simple way, let me explain what I need done.

Problem: I have Cisco ASA Logs sent to this syslog-ng server.

I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed:

ASA-6-302016
ASA-6-302015
ASA-7-609001
ASA-7-609002
ASA-6-302013
ASA-6-302014
ASA-6-302020
ASA-6-302021
ASA-6-305012
ASA-6-305011

Everything else other than this I would like to index to a certain specified index.

Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed.

The documentation is a little tricky for me to understand so maybe an example will make me understand better.

Appreciate any help you can provide.

Thanks.

Brian

1 Solution

Splunk Employee
Splunk Employee
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue

View solution in original post

Engager

or - better yet, why not save yourself the unnecessary log traffic and load on the ASA anyway and just turn those message numbers off at the source.

ex>
asa-firewall# conf t

asa-firewall(conf)# no logging message 302016

asa-firewall(conf)# no logging message 302015

etc.

-Chris

Splunk Employee
Splunk Employee
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue

View solution in original post

Contributor

sorry, once again this forum code is a pita and takes a single \ as a special char.

it should be
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma

Contributor

your regex will fail with the 8.4+ ASA (need to verify actual revs), it comes in with %ASA-session- in it,
see http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change

so you you might modify the regex to be
%ASA-(session-)?[67]-(code|code|code|code)
or
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma

Splunk Employee
Splunk Employee

glad to help!

0 Karma

Contributor

Thank You!!!

0 Karma

Contributor

Anything guys?

0 Karma