Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

props.conf not working

MOberschelp
Explorer
‎02-27-2015 02:23 AM

Hello,

I try to user props.conf to change the sourcetype (in this case from cisco:asa to something else)
I've set up a props.conf and transforms.conf in the "local" folder. But this doesn't work at all.

Here is the props.conf:

[source::udp:514]
TRANSFORMS-changesourcetype = syslog_ciscoesatextmail
TRANSFORMS-changesourcetype = syslog_rsaauthmgr

Here is the transforms.conf:

[syslog_ciscoesatextmail]
REGEX = :dds+(?:d+s+|(?:user|daemon|local.?).w+s+)*[?(10.1.1.152|10.1.1.153)[w.-]{2,})]?s 
FORMAT = sourcetype::cisco:esa:textmail
DEST_KEY = MetaData:Sourcetype

[syslog_rsaauthmgr]
REGEX = :dds+(?:d+s+|(?:user|daemon|local.?).w+s+)*[?(10.1.1.24|10.1.1.25)[w.-]{2,})]?s
FORMAT = sourcetype::RSA_AUTH_MGR
DEST_KEY = MetaData:Sourcetype

In the search app I still see the logs from the specified host as sourcetype:syslog

What am I doing wrong?
A restart has already been done with | extract reload=true and with service restart in windows.

0 Karma
Reply

wpreston
Motivator
‎02-27-2015 06:08 AM

To override a sourcetype, you need to use both transforms.conf and props.conf. Here is the information from the docs: Override sourcetypes on a per event basis. Try configuring your props.conf and transforms.conf as shown there and see if it works better for you.

Reply

MOberschelp
Explorer
‎03-11-2015 02:33 AM

I've tried to do this, but this won't work.

Here is the props.conf:
[source::udp:514]
TRANSFORMS-changesourcetype = syslog_ciscoesatextmail
TRANSFORMS-changesourcetype = syslog_rsaauthmgr

Here is the transforms.conf:

[syslog_ciscoesatextmail]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(10.1.1.152|10.1.1.153)[\w.-]{2,})]?\s
FORMAT = sourcetype::cisco:esa:textmail
DEST_KEY = MetaData:Sourcetype

[syslog_rsaauthmgr]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(10.1.1.24|10.1.1.25)[\w.-]{2,})]?\s
FORMAT = sourcetype::RSA_AUTH_MGR
DEST_KEY = MetaData:Sourcetype

In the search app I still see the logs from the specified host as sourcetype:syslog

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎02-27-2015 02:32 AM

Is your data coming in as syslog from a file, with the host in each event? Can you show your input configuration?
Also some of the cisco addons override sourcetypes and this may be what's getting it set to cisco:asa

0 Karma
Reply

MOberschelp
Explorer
‎02-27-2015 02:39 AM

I've set up UDP 514 as sourcetype cisco:asa. I did this because about 90% of the syslogging systems are cisco:asa.

but I have some other vendor / hardware like RSA SecurID Appliance, BlueCoat Proxy SG and Netscaler sending also via syslog. The syslog is directly send to my splunk enterprise server.

The following apps are installed on the splunk server:
Cisco Security Suite
Splunk Add-on for Cisco ASA
Splunk Add-on for Cisco ESA
Splunk Add-on for Cisco WSA

Do you need further information?
Sorry, but I am very new in configuring splunk. This is my first week with this product.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎02-27-2015 02:55 AM

No problem and welcome to using Splunk! My next question is do the hosts show up with IP addresses in Splunk in the host field, or do they have DNS names?

0 Karma
Reply

MOberschelp
Explorer
‎02-27-2015 03:07 AM

the hosts show up with ip addresses. we have no dns resolution for this hosts.

Or is there any way to do an automatic sourcetype detection?
Thanks so far!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...