Splunk Enterprise Security
Highlighted

Splunk Add-on for Cisco ASA: Will you help me create a regex expression for a transforms.conf file which filters certain logs out before indexing?

Explorer

Cisco ASA Regex filtering needed

Hello Splunk community,

I am in need of some regex help. We have been receiving a large amount of logs that we do not want to see in Splunk and need to filter them out on the heavy forwarder. These logs reach out to a series of IP ranges and the messages are all the same. I need a regex expression to put into our transforms.conf file to filter these logs out before they get indexed.

For example, let's say that the IP ranges are 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24, and 4.4.4.0/24. We want to make a filter for Cisco ASA logs that excludes all logs that include any of those IP ranges AND teardown or build events. This way, in case important information does come in from these IPs some day, we simply tune out the noise of these connection events without simply filtering the IPs completely.

Here is an example of one of the events (IP addresses redacted)
Sep 18 14:55:36 XX.XXX.XX.XX %ASA-6-302014: Teardown TCP connection 871094319 for outside-LT1:XXX.XXX.XX.XXX/443 to Inside:XX.XX.XX.XXX/50198 duration 0:00:00 bytes 0 TCP FINs from Inside

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Will you help me create a regex expression for a transforms.conf file which filters certain logs out before indexing?

Explorer

Hi,

I'm not quite sure, if I got your point (filter events based on IP-ranges AND the words "Teardown" or "Build" before index-time?) but this regex should match events where "Teardown" or "Build" AND given first three octets exist:

(Teardown|Build).*2.2.2.\d{1,3}

Simply replace the octets as needed.

View solution in original post

0 Karma
Highlighted

Re: Splunk Add-on for Cisco ASA: Will you help me create a regex expression for a transforms.conf file which filters certain logs out before indexing?

Explorer

We did something similar to this, appreciate your help!

0 Karma