My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this:
\"Deny protocol src [interface_name:sourceaddress/source_port] dst interfacename:dest_address/dest_port [type {string}, code {code}] by accessgroup aclID\"
The other fields get extracted correctly. Perhaps someone has a hint?
Where ist the field event_desc defined? Can i manually edit it?
Thanks in advance
Bpad
... View more