routing specific syslog msgs to another index

briang67 · ‎04-27-2011

I'm trying to route syslog messages that contain the term "nc3ldaprealm" to an index other than main. I'm using the setup below, but I'm seeing odd behavior.

If I use (.*) for the regex I get a second copy of the original msg in my "nc3sec" index.

If I use the regex below I'm not seeing any message in my "nc3sec" index...although the regex parses the msg correctly when I test with an external tool. I would like the msg that matches the regex to appear in the "nc3sec" index, but not main. Any ideas? thx.

Msgs are being sent directly from syslog to udp:514. There's no forwarder involved so the confs are setup on the indexer.

props.conf: [syslog]

TRANSFORMS-vpn_user_log = VPNUSERLOG

transforms.conf:

[VPNUSERLOG]

SOURCE_KEY = MetaData:Sourcetype

REGEX =^(.*nc3ldaprealm.*)

DEST_KEY = _MetaData:Index

FORMAT = nc3sec

WRITE_META = true

Here's an example of the msg:
Apr 26 18:02:05 206.15.126.232 Juniper: id=firewall time="2011-04-26 18:05:03" pri=6 fw=206.15.126.232 vpn=sb117ncvp02 user=testuser13 realm="nc3ldaprealm" roles="" proto=auth src=205.203.130.22 dst= dstname= type=vpn op= arg="" result= sent= rcvd= agent="" duration= msg="AUT23457: Login failed using auth server nc3ldap (LDAP Server). Reason: Failed"

briang67 · ‎04-27-2011

I think I answered my own question. The problem was with the SOURCE_KEY = MetaData:Sourcetype. I think the regex was being applied against the sourcetype instead of the msg as when I removed it (defaults to _raw) my routing worked correctly.

routing specific syslog msgs to another index

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life