Getting Data In
Highlighted

props.conf not working

Explorer

Hello,

I try to user props.conf to change the sourcetype (in this case from cisco:asa to something else)
I've set up a props.conf and transforms.conf in the "local" folder. But this doesn't work at all.

Here is the props.conf:

[source::udp:514]
TRANSFORMS-changesourcetype = syslog_ciscoesatextmail
TRANSFORMS-changesourcetype = syslog_rsaauthmgr 

Here is the transforms.conf:

[syslog_ciscoesatextmail]
REGEX = :dds+(?:d+s+|(?:user|daemon|local.?).w+s+)*[?(10.1.1.152|10.1.1.153)[w.-]{2,})]?s 
FORMAT = sourcetype::cisco:esa:textmail
DEST_KEY = MetaData:Sourcetype

[syslog_rsaauthmgr]
REGEX = :dds+(?:d+s+|(?:user|daemon|local.?).w+s+)*[?(10.1.1.24|10.1.1.25)[w.-]{2,})]?s
FORMAT = sourcetype::RSA_AUTH_MGR
DEST_KEY = MetaData:Sourcetype

In the search app I still see the logs from the specified host as sourcetype:syslog

What am I doing wrong?
A restart has already been done with | extract reload=true and with service restart in windows.

0 Karma
Highlighted

Re: props.conf not working

Splunk Employee
Splunk Employee

Is your data coming in as syslog from a file, with the host in each event? Can you show your input configuration?
Also some of the cisco addons override sourcetypes and this may be what's getting it set to cisco:asa

0 Karma
Highlighted

Re: props.conf not working

Explorer

I've set up UDP 514 as sourcetype cisco:asa. I did this because about 90% of the syslogging systems are cisco:asa.

but I have some other vendor / hardware like RSA SecurID Appliance, BlueCoat Proxy SG and Netscaler sending also via syslog. The syslog is directly send to my splunk enterprise server.

The following apps are installed on the splunk server:
Cisco Security Suite
Splunk Add-on for Cisco ASA
Splunk Add-on for Cisco ESA
Splunk Add-on for Cisco WSA

Do you need further information?
Sorry, but I am very new in configuring splunk. This is my first week with this product.

0 Karma
Highlighted

Re: props.conf not working

Splunk Employee
Splunk Employee

No problem and welcome to using Splunk! My next question is do the hosts show up with IP addresses in Splunk in the host field, or do they have DNS names?

0 Karma
Highlighted

Re: props.conf not working

Explorer

the hosts show up with ip addresses. we have no dns resolution for this hosts.

Or is there any way to do an automatic sourcetype detection?
Thanks so far!

0 Karma
Highlighted

Re: props.conf not working

Motivator

To override a sourcetype, you need to use both transforms.conf and props.conf. Here is the information from the docs: Override sourcetypes on a per event basis. Try configuring your props.conf and transforms.conf as shown there and see if it works better for you.

Highlighted

Re: props.conf not working

Explorer

I've tried to do this, but this won't work.

Here is the props.conf:
[source::udp:514]
TRANSFORMS-changesourcetype = syslogciscoesatextmail
TRANSFORMS-changesourcetype = syslog
rsaauthmgr

Here is the transforms.conf:

[syslogciscoesatextmail]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(10.1.1.152|10.1.1.153)[\w.-]{2,})]?\s
FORMAT = sourcetype::cisco:esa:textmail
DEST
KEY = MetaData:Sourcetype

[syslogrsaauthmgr]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(10.1.1.24|10.1.1.25)[\w.-]{2,})]?\s
FORMAT = sourcetype::RSA
AUTHMGR
DEST
KEY = MetaData:Sourcetype

In the search app I still see the logs from the specified host as sourcetype:syslog

0 Karma