I appreciate the help ..
Monitor Stanza:
[monitor:///data/newlogs/cisco/.log]
disabled = false
host_regex=([^\/]).\d{4}-\d{2}-\d{2}.log
index = ios
sourcetype = syslog
local props.conf for cisco:asa :
[cisco:asa]
CHARSET = utf-8
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
MAX_EVENTS = 1
Sample data, each line end with 0A \n
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-713236: IP = 169.132.18.1, IKE_DECODE RECEIVED Message (msgid=7b412844) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-715047: Group = N2Pprod2, Username = cconti, IP = 169.132.18.1, processing hash payload
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-715047: Group = N2Pprod2, Username = cconti, IP = 169.132.18.1, processing notify payload
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-715075: Group = N2Pprod2, Username = cconti, IP = 169.132.18.1, Received keep-alive of type DPD R-U-THERE (seq number 0xced72762)
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-715036: Group = N2Pprod2, Username = cconti, IP = 169.132.18.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xced72762)
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-715046: Group = N2Pprod2, Username = cconti, IP = 169.132.18.1, constructing blank hash payload
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-715046: Group = N2Pprod2, Username = cconti, IP = 169.132.18.1, constructing qm hash payload
Mar 29 00:00:01 10.232.1.103/10.232.1.103 %ASA-7-713236: IP = 169.132.18.1, IKE_DECODE SENDING Message (msgid=4d9922d2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-713236: IP = 47.16.183.44, IKE_DECODE RECEIVED Message (msgid=2460272) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-715047: Group = idtremote, Username = christina.rudczynski, IP = 47.16.183.44, processing hash payload
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-715047: Group = idtremote, Username = christina.rudczynski, IP = 47.16.183.44, processing notify payload
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-715075: Group = idtremote, Username = christina.rudczynski, IP = 47.16.183.44, Received keep-alive of type DPD R-U-THERE (seq number 0x27b70150)
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-715036: Group = idtremote, Username = christina.rudczynski, IP = 47.16.183.44, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x27b70150)
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-715046: Group = idtremote, Username = christina.rudczynski, IP = 47.16.183.44, constructing blank hash payload
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-715046: Group = idtremote, Username = christina.rudczynski, IP = 47.16.183.44, constructing qm hash payload
Mar 29 00:00:03 10.232.1.103/10.232.1.103 %ASA-7-713236: IP = 47.16.183.44, IKE_DECODE SENDING Message (msgid=e16bf0d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 29 00:00:04 10.232.1.103/10.232.1.103 %ASA-7-713236: IP = 169.132.18.1, IKE_DECODE RECEIVED Message (msgid=6654134b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Nothing more sensetive than name
The data is being handled by the: Splunk_TA_cisco-asa app.
I really cannot see why he lines a re not being split to single lines .
You help is much appreciated!
Jim
... View more