Solved: SourceType using Props.conf and Transforms.conf

rmcdougal · ‎06-07-2012

Ok, so here is the deal. I will have quite a few different types of events coming through on UDP 514 and need to sourcetype them differently. I have read enough to find that this is supposed to be possible, however I can't get it to work. Here is what I have so far.

To start with here is a sample event stream.

Jun  7 14:25:25 10.220.5.27 8417003: *Jun  7 14:22:01.037 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.115(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:27 10.220.5.27 8417004: *Jun  7 14:22:02.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.116(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:28 10.220.5.27 8417005: *Jun  7 14:22:03.493 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.52(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:29 10.220.5.27 8417006: *Jun  7 14:22:04.905 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.71(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:31 10.220.5.27 8417007: *Jun  7 14:22:06.445 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.152(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:33 10.220.5.27 8417008: *Jun  7 14:22:08.325 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.54(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:34 10.220.5.27 8417009: *Jun  7 14:22:09.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.66(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:36 10.220.5.27 8417010: *Jun  7 14:22:12.093 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.49(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:38 10.220.5.27 8417011: *Jun  7 14:22:13.341 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.64(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:39 10.220.5.27 8417012: *Jun  7 14:22:14.693 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.55(5510) -> 255.255.255.255(5510), 1 packet

Now what I would like to do is to use the device IP address (10.220.5.27) as a means to sourcetype this type of event. This is what I have in my props and transforms right now on the indexer

props.conf

[source::UDP:514]
TRANSFORMS-transCisco = transCisco

transforms.conf

[transCisco]
REGEX=10.220.5.27
FORMAT= sourcetype::cisco_syslog
DEST_KEY = MetaData:Sourcetype

richprescott · ‎06-07-2012

Try this stanza instead:

[transCisco] REGEX=(10\.220\.5\.27) FORMAT= sourcetype::$1 DEST_KEY = MetaData:Sourcetype

View solution in original post

DrewO · ‎06-07-2012

Your REGEX needs to escape the periods to match an actual period instead of the REGEX special character .

should be REGEX = 10\.220\.5\.27

Otherwise looks good.

richprescott · ‎06-07-2012

Try this stanza instead:

[transCisco] REGEX=(10\.220\.5\.27) FORMAT= sourcetype::$1 DEST_KEY = MetaData:Sourcetype

rmcdougal · ‎06-13-2012

Figured it out. "UDP" was capitalized in props.conf

Should have been like this

[source::udp:514] TRANSFORMS-changesourcetype = change_to_cisco_syslog

rmcdougal · ‎06-12-2012

Thank you for your help!

Unfortunately this is still not working, it is still being put into Splunk as sourcetype UDP:514. Here is my current props and transforms configs

[props.conf]

[source::UDP:514] TRANSFORMS-changesourcetype = change_to_cisco_syslog

[Tranforms.conf]

[change_to_cisco_syslog] REGEX = (10\.220\.5\.27) FORMAT= sourcetype::cisco_syslog DEST_KEY = MetaData:Sourcetype

SourceType using Props.conf and Transforms.conf

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies