Hi,
I've configured Splunk to forward data to a third party system we use.
I can see on the packet captures that the traffic is being sent to the host, however, I am seeing more data than I would like going to this host. I would only like our ASA traffic to go to this host, however, I am seeing all sorts of data being sent. I was not expecting this based on the following configuration files:
outputs.conf -
[syslog]
defaultGroup = syslog_out
[syslog:syslog_out]
server=1.2.3.4:514
type=udp
priority = NO_PRI
props.conf -
[cisco_asa]
TRANSFORMS-routing=syslog_routing
transforms.conf
[syslog_routing]
REGEX="^[^\%]+\%ASA"
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_out
N.B: the regex is there as I thought it might be an issue with just using ".
" for the "cisco_asa" sourcetype (not that it should matter).
I've clearly missed something here, so any help would be grateful.
Thanks,
mhibbin
Don't set the defaultGroup parameter. You only want to send syslog when the transform matches.
Don't set the defaultGroup parameter. You only want to send syslog when the transform matches.
Hi MHibbin
try to step back to a more basic setup like in the docs and change it to match the examples. Try it with host::1*
for example, instead of of source type.
hope this helps ...
cheers, MuS 🙂