Steelwool, did you find a solution for your issue?
I followed the guide mentioned by ziegfried and created the files:
C:\Program Files\Splunk\etc\system\local\props.conf
[cisco_asa]
TRANSFORMS-null= setnull
I also tried :
[source::udp:2000]
TRANSFORMS-null= setnull
I use the Cisco Security Suite App, thus the syslog port moved to 2000 for coexistence with the standard syslog service.
C:\Program Files\Splunk\etc\system\local\ransforms.conf
[setnull]
REGEX = (ASA-6-302014|ASA-6-302013|ASA-6-302016|ASA-6-302015)
DEST_KEY = queue
FORMAT = nullQueue
I have no idea what I should try next 😕 Please help!
... View more