I used the email to ticket part of zendesk. Then at the ticket level I put enough info in the subject line, of the alert, to easily filter to the right ticketing group in zendesk. to get info from the search into the ticket, you use: $result.<fieldname_you want in subject line>$ examples $result.src_ip$ or $result.host$
... View more
I can use TCPDUMP and see that logs are being sent to the correct port. I can use ngrep to see the data in the packets being received. They are in the right IETF format. I can see the events coming in via the Splunk metrics logs. But no logs are getting to Splunk.
I'm using the 6.0.2 add-on
Inputs.conf
[udp://12002]
index = firewall-logs
disabled = false
sourcetype = pan:log
connection_host = ip
no_appending_timestamp = true
... View more
This is the search I'm working with:
index="*-network" (sourcetype="cisco:asa" OR sourcetype="routers") user="user*" ("session terminated" OR "session started") | table _time, user, src_ip
I want a field that has "session terminated" OR "session started" based on which value is in the log.
... View more