Hello all,
We are collecting Cisco firewall logs into Splunk and have installed the "Splunk for Cisco Firewalls" application. There is a particular event id that is generated due to our Websense integration, ASA-5-304001 or PIX-5-304001, which indicates a user has visited a website. To enable better reporting on this type of log, I wanted to create a custom sourcetype of cisco_websense and parse out some of the data. These are the modifications I have made to transforms.conf and props.conf:
Transforms.conf modifications
[force_sourcetype_for_cisco_websense]
DEST_KEY = MetaData:Sourcetype
REGEX = %(ASA|PIX)-5-304001
FORMAT = sourcetype::cisco_websense
[cisco_websense-ip_addresses]
REGEX = \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
FORMAT = host::$1 src_ip::$2 dst_ip::$3
[cisco_websense-URL]
REGEX = (/|http:).*
FORMAT = url::$1
Props.conf modifications
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_websense, force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall
[cisco_websense]
REPORT-websense = ciscosyslog-eventinfo, cisco_websense-ip_addresses, cisco_websense-URL
lookup_table = err_code_lookup error_code
LOOKUP-vendor_info_for_cisco_firewall = cisco_firewall_vendor_info_lookup sourcetype OUTPUT vendor,product
For some reason I cannot figure out, after restarting Splunk the custom sourcetype cisco_websense is not being recognized. Any help with this issue is greatly appreciated.
Thank you.
I decided it was best to create transforms for the fields I wanted to extract instead of creating a completely different sourcetype. It appears to be working as I wanted it too.
Thanks!
To illustrate this more clearly, here is the sourcetype definition for cisco_pix:
[force_sourcetype_for_cisco_pix]
DEST_KEY = MetaData:Sourcetype
REGEX = %PIX-\d+-\d+
FORMAT = sourcetype::cisco_pix
Here is the sourcetype definition for cisco_websense:
[force_sourcetype_for_cisco_websense]
DEST_KEY = MetaData:Sourcetype
REGEX = %(ASA|PIX)-5-304001
FORMAT = sourcetype::cisco_websense
Thanks!
Okay...I think I know what is happening. I am trying to define a sourcetype that is a more specific case, cisco_websense, of a sourcetype that is already defined (cisco_asa and cisco_pix).
How does Splunk handle the case where it matches multiple sourcetype definitions? I would think there would be a defined mechanism for determining precedence of the sourcetype definitions.
Thanks!