Cisco ASA Regex filtering needed
Hello Splunk community,
I am in need of some regex help. We have been receiving a large amount of logs that we do not want to see in Splunk and need to filter them out on the heavy forwarder. These logs reach out to a series of IP ranges and the messages are all the same. I need a regex expression to put into our transforms.conf file to filter these logs out before they get indexed.
For example, let's say that the IP ranges are 22.214.171.124/24, 126.96.36.199/24, 188.8.131.52/24, and 184.108.40.206/24. We want to make a filter for Cisco ASA logs that excludes all logs that include any of those IP ranges AND teardown or build events. This way, in case important information does come in from these IPs some day, we simply tune out the noise of these connection events without simply filtering the IPs completely.
Here is an example of one of the events (IP addresses redacted)
Sep 18 14:55:36 XX.XXX.XX.XX %ASA-6-302014: Teardown TCP connection 871094319 for outside-LT1:XXX.XXX.XX.XXX/443 to Inside:XX.XX.XX.XXX/50198 duration 0:00:00 bytes 0 TCP FINs from Inside
I'm not quite sure, if I got your point (filter events based on IP-ranges AND the words "Teardown" or "Build" before index-time?) but this regex should match events where "Teardown" or "Build" AND given first three octets exist:
Simply replace the octets as needed.
We did something similar to this, appreciate your help!