Including the remote address in the UDP input stanza is deprecated. Instead, you'll want to use transforms to change the index and/or sourcetype.
In transforms.conf, something like this:
[sendto_network_firewall]
SOURCE_KEY = host
REGEX = ^172\.16\.1\.1$
DEST_KEY = MetaData:Index
FORMAT = index::network_firewall
[change_asa_sourcetype]
SOURCE_KEY = host
REGEX = ^172\.16\.1\.1$
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco:asa
In props.conf, you'd reference these stanza names in a TRANSFORM entry:
[source::udp:514]
TRANSFORM-asa_fixups = sendto_network_firewall, change_asa_sourcetype
TRANSFORM-other_fixup = sendto_other_index, change_another_sourcetype
It should be noted that changing sourcetypes is kinda messy. Many pieces of config reference sourcetype. Do they fire before or after your change? It makes things more complicated, prone to mistakes, and harder to troubleshoot. Just my 2 cents.
EDIT: fixed per sjohnson's post. Good catch!
... View more