Example data:
Aug 25 10:48:58 172.20.10.253 date=2015-08-25,time=10:48:56,devname=FG300B3909604960,devid=FG300B3909604960,logid=0000000013,type=traffic,subtype=forward,level=notice,vd=root,srcip=172.20.11.64,srcport=56560,srcintf="port1",dstip=207.46.59.27,dstport=50007,dstintf="port7",sessionid=5529335,status=deny,policyid=0,dstcountry="UnitedStates",srccountry="Reserved",trandisp=noop,service=50007/tcp,proto=6,duration=0,sentbyte=0,rcvdbyte=0
I use add common line to props.conf
[source::udp:514]
TRANSFORMS-asa= firewall
and add transforms.conf too
[firewall]
REGEX=(?m)^level=notice
DEST_KEY=queue
FORMAT=nullQueue
but it still does not work. pls help me thanks
... View more