Hello everyone!
I'm trying to use props/ transforms to set a sourcetype and change the hostname of my devices. Currently they are coming in as sourcetype=syslog
My event looks like this:
Apr 3 22:37:36 10.77.265.178 1 1491277141.711671730 NAME_LOC_FW1 events Site-to-site VPN: notification INVALID-ID-INFORMATION received in informational exchange.
I want to extract "NAME_LOC_FW1" and change the sourcetype to meraki as well as change the host to "NAME_LOC_FW1"
I have the following props:
[syslog]
TRANFORMS-changesourcetypes = NAME_LOC_FW1
[syslog]
TRANSFORMS-changehost = NAME_LOC_FW1_HOST
And the following transforms:
[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki
[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (?)(NAME_LOC_FW1)
FORMAT = host::$1
This isn't working... Can anyone tell me what I'm doing wrong?
Also, this is implemented on a Heavy Forwarder.
Thanks a lot!
JG
What about configuring meraki to send on a different port than 514 and just force all incoming data on that port to type meraki?
Assuming that the value in the _raw is literally NAME_LOC_FW1
and you literally want the literal NAME_LOC_FW1
as your hostname...
### props.conf
[syslog]
TRANFORMS-fw1 = NAME_LOC_FW1,NAME_LOC_FW1_HOST
##transforms.conf
[NAME_LOC_FW1]
Regex = (NAME_LOC_FW1)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::meraki
[NAME_LOC_FW1_HOST]
DEST_KEY = MetaData:Host
REGEX = (NAME_LOC_FW1)
FORMAT = NAME_LOC_FW1
Warning - those stanzas will redirect any event that has that literal anywhere in the event. If that is not the behavior that you would like, then the regex should be made more specific.
Hi jgorman_THG,
I'm not sure about your regex, try with a different one, something like this
\w+\s\d+\s\d+:\d+:\d+\s\d+\.\d+\.\d+\.\d+\s\d+\s\d+\.\d+\s(?<host>[^ ]*)
you can try it on https://regex101.com/r/g9PJJD/1
Bye.
Giuseppe
Hi Guiseppe!
That didn't seem to work... I agree though, it's probably a regex problem. I'm not super strong in regex...
go in regex101.com and insert your log and my regex and verify if it's correct, maybe there's something different in your production logs.
Using the one you inserted in this question the regex is correct.
Bye.
Giuseppe