Splunk Enterprise Security

Splunk Add-on for Cisco ASA: Will you help me create a regex expression for a transforms.conf file which filters certain logs out before indexing?

Tylerdygert
Path Finder

Cisco ASA Regex filtering needed

Hello Splunk community,

I am in need of some regex help. We have been receiving a large amount of logs that we do not want to see in Splunk and need to filter them out on the heavy forwarder. These logs reach out to a series of IP ranges and the messages are all the same. I need a regex expression to put into our transforms.conf file to filter these logs out before they get indexed.

For example, let's say that the IP ranges are 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24, and 4.4.4.0/24. We want to make a filter for Cisco ASA logs that excludes all logs that include any of those IP ranges AND teardown or build events. This way, in case important information does come in from these IPs some day, we simply tune out the noise of these connection events without simply filtering the IPs completely.

Here is an example of one of the events (IP addresses redacted)
Sep 18 14:55:36 XX.XXX.XX.XX %ASA-6-302014: Teardown TCP connection 871094319 for outside-LT1:XXX.XXX.XX.XXX/443 to Inside:XX.XX.XX.XXX/50198 duration 0:00:00 bytes 0 TCP FINs from Inside

0 Karma
1 Solution

xeaon
Explorer

Hi,

I'm not quite sure, if I got your point (filter events based on IP-ranges AND the words "Teardown" or "Build" before index-time?) but this regex should match events where "Teardown" or "Build" AND given first three octets exist:

(Teardown|Build).*2.2.2.\d{1,3}

Simply replace the octets as needed.

View solution in original post

0 Karma

xeaon
Explorer

Hi,

I'm not quite sure, if I got your point (filter events based on IP-ranges AND the words "Teardown" or "Build" before index-time?) but this regex should match events where "Teardown" or "Build" AND given first three octets exist:

(Teardown|Build).*2.2.2.\d{1,3}

Simply replace the octets as needed.

0 Karma

Tylerdygert
Path Finder

We did something similar to this, appreciate your help!

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...