I am trying to get the Cisco sourcetype for ASA data to work. cisco:asa I have installed the TA on the heavy forwarder, Indexer and Search Head.
In the TA folder, I created a local dir and put the props in the local dir. I am logging to the file system using rsyslog so I set the source to the path to the rsyslog file
[source::/opt/logs/all_logs]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
This is not working. All I get is cisco_asa as the sourcetype for all ASA traffic.
Any ideas?
Thanks
Ed
Hey, Ed.
It sounds like you're monitoring a local directory on a syslog server. Try creating a local/inputs.conf file with the monitor stanza, and only assign sourcetype = syslog:
[monitor:///opt/logs/all_logs]
diabled = false
sourcetype = syslog
Also - make sure the hostname in the ASA is configured correct, as well as this command:
asa(config)#logging device-id hostname
The Add-on should pull out the hostname accurately. This worked for me. I didn't edit transforms or props. Let me know if it works!
Ed (as well)
Can you post your props.conf file? The sample lines you posted should match the REGEX specified. There may be something in props.conf that can offer more clues.
Any more ideas? I also tried syslog as the source for the props with really inconsistent results. Some data is cisco:asa and other data is syslog_asa even from the same device.
Thanks!
ok - that did not come out right
I will only include the part of the default props i used
[source::/opt/log/all_logs]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
This may have been a sad assumption on my part. I copied the props.conf out of default and put it into local and only used the following with an update for the actual source of the log data
props.conf
[source::/opt/log/all_logs]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_for_cisco_fwsm
Can you tell me if the original sourcetype of the data you are pulling in is the syslog sourcetype?
sure - thanks!
May 13 15:33:57 xxxxxxxxxxxxxxxxx %ASA-6-302014: Teardown TCP connection 3360473173 for INTERNET-OUTSIDE:xx.xx.xx.xx/34802 to MD-DMZ-F5:xx.xx.xx.xx/443 duration 0:00:56 bytes 7192 TCP FINs
May 13 15:33:57 xxxxxxxxxxxxxxxxx %ASA-6-302014: Teardown TCP connection 848603646 for LAN1:xx.xx.xx.xx/48529 to LAN2:xx.xx.xx.xx/8501 duration 0:00:00 bytes 1848 TCP FINs
Post a sample of some events of the raw log so we can examine them and help you with the transforms/regex.
yes - the sourcetype is syslog
You may need to modify the REGEX on the [force_sourcetype_for_cisco_*] stanzas in transforms.conf if your log files don't match correctly. I have seen this in one other instance where the log format coming from the devices wasn't quite the same as the transforms.conf stanza expected.
well why does the cisco_asa sourcetype match? I am sure I am not understanding something. I will check to see what else I can find.