I am having issues with consistent field extraction using the cisco:asa sourcetype. The fields are very inconsistently parsed, many times making 4 or 5 events out of a single event, even separating a line in the middle of a word.
I am currently accepting syslog for these devices using rsyslog, and I am monitoring the file generated for the specific device on the local filesystem. The following is an example of the inputs.conf entry I have in the Splunk_TA_cisco-asa local directory.
[monitor:///var/log/syslog/system-111.111.111.111.log]
host_segment = 4
sourcetype = cisco:asa
disabled = false
I am running version 3.2.0 of the Splunk Add-on for Cisco ASA. I am running version 3.0.3 of Cisco Security Suite. Am I missing something? Thanks in advance.
Try to add, under the stanza above,
SHOULD_LINEMERGE=false
Thank you for the response mzorzi. Unfortunately, that did not work when placed in my inputs.conf file. I believe the sourcetype should pull that from my props.conf file?
[source::....asa]
sourcetype = cisco:asa
[cisco:asa]
SHOULD_LINEMERGE = false
KV_MODE = auto