Hi,
I've read a few articles on filtering data inputs. Basically I have a noisy ASA that I'm logging, and I want to discard anything with these phrases in them. They are eating up my licensing quota and I don't need them.
Built outbound TCP connection
Teardown TCP connection
Teardown UDP connection
Built dynamic TCP translation
Teardown dynamic TCP translation
I have the following set up for my configuration files but it's not working. Can someone help me out, I'm not good at regex 😕
transforms.conf
[geo_us_states]
external_type = geo
filename = geo_us_states.kmz
[geo_countries]
external_type = geo
filename = geo_countries.kmz
[geo_attr_us_states]
filename = geo_attr_us_states.csv
[geo_attr_countries]
filename = geo_attr_countries.csv
[discard_events]
REGEX = Built outbound TCP connection
DEST_KEY = queue
FORMAT = nullQueue
[discard_events]
REGEX = Teardown dynamic TCP translation
DEST_KEY = queue
FORMAT = nullQueue
[discard_events]
REGEX = Teardown TCP connection
DEST_KEY = queue
FORMAT = nullQueue
[discard_events]
REGEX = Teardown UDP connection
DEST_KEY = queue
FORMAT = nullQueue
[discard_events]
REGEX = Built dynamic TCP translation
DEST_KEY = queue
FORMAT = nullQueue
props.conf
# Version 7.1.1
[sendmail]
FIELDALIAS-msgid = mid AS msgid
EXTRACT-qid = sendmail[^\]]*\]:\s+(?[^:]*):
[source::/var/log/foo]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = discard_events
... View more
