Getting Data In

How to configure props.conf and transforms.conf to change Cisco ASA and ISE syslog sourcetypes and move them to different indexes?

kpsajin
Explorer

Hi,

I have cisco ASA and cisco ISE syslogs coming to splunk on udp1026 port. I would like to differentiate the sourcetype and index for both.

Cisco ASA logs source type has to be changed as cisco:asa and moved to an index called cisco_asa.

Cisco ISE logs source type has to be changed to cisco:ise:syslog and moved to an index called cisco_ise.

Please help to build the props and transforms for the above.

Regards
Sajin

0 Karma

woodcock
Esteemed Legend

If the answer given by @stephanefosto doesn't work (and I expect it won't but I give him karma for a clever option to try), then you will have to either give up your goal to have each in a separate index or on your goal to have them both come to the same port. If you go with the latter, then do just as @stepanefosto said, but have 2 different ports. If you go with the former, then you can do a sourcetype override like this:

In transforms.conf:

[set_sourcetype_cisco_asa]
REGEX = YOUR REGEX HERE maybe something like (?:10.0.1.21|10.0.1.23)
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype

[set_sourcetype_cisco_ise]
REGEX = YOUR REGEX HERE maybe something like (?:10.0.1.21|10.0.1.23)
FORMAT = sourcetype::cisco:ise
DEST_KEY = MetaData:Sourcetype

In props.conf:

[source::udp:1026]
TRANSFORMS-cisco_sourcetype_overrides = set_sourcetype_cisco_asa set_sourcetype_cisco_ise

You will have to deploy these files to your indexers (or heavy forwarder) and it will NOT change anything that is already in Splunk.

0 Karma

kpsajin
Explorer

I was also thinking to do the below.

[set_sourcetype_ciscoasa]
SOURCE_KEY = MetaData:Host
REGEX = ^host::192.168.1.251$
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype

[set_sourcetype_ciscoise]
SOURCE_KEY = MetaData:Host
REGEX = ^host::192.168.1.250$
FORMAT = sourcetype::cisco:ise:syslog
DEST_KEY = MetaData:Sourcetype

[source::udp:1026]
TRANSFORMS-set_sourcetype_sonicwall = set_sourcetype_ciscoasa set_sourcetype_ciscoise

But still how do I move it to a different index.

I will try the first option given by @stephanefotso and if that doesn' help, will look at the later.

Will update you all today.

Regards
Sajin

0 Karma

woodcock
Esteemed Legend

Re-read my answer; it is a COMPLETE answer. If suggestion by @stephanefotso does not work, then it is NOT POSSIBLE unless you split ports and put one on 1026 and the other on another port. Then you will have 2 entries in inputs.conf and each one will have a different index= line

0 Karma

woodcock
Esteemed Legend

So did anything work out?

0 Karma

kpsajin
Explorer

I did not try editing anything in the props and transforms. I have used splunk add on for Cisco ASA, splunk add on for Cisco ISE and Cisco Network Add on. After that I changed the configuration in the data inputs page in splunk. Have created udp inputs with specific ip address and syslog ports and manually defined the source type. It has translated the source type for all the events to cisco:asa, cisco:ise:syslog and cisco:ios respectively and I am able to get the cisco apps working fine.

Please let me know if there will be any operational impact or technical difficulty in implementing the Splunk ES with this kind of data input configurations.

Thanks a lot for the suggestions.

Regards
sajin

0 Karma

woodcock
Esteemed Legend

OK,, so you used the split-port solution. The TAs should use the sourcetype as the basis for almost everything so as long as you are keeping with the naming conventions that they used, you should be fine. Please "Accept" an answer to close off this question.

0 Karma

stephanefotso
Motivator

ok. I understand.
The acceptFrom = < parameter> in your inputs.conf, let you list a set of networks or addresses to accept connections from.

  • Each rule can be in the following forms:
  • 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
  • 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
  • 3. A DNS name, possibly with a '' used as a wildcard (examples:"myhost.example.com", ".splunk.com")

Means, if you exactly know which machine is sending cisco ASA syslog, you could be able to do something like this:

[udp://<remote server>:<port>]
acceptFrom =10.1.2.3
sourcetype = cisco:asa
index = cisco_asa
source=udp1026 

.......

Do the same for your Cisco ISE logs
Thanks

SGF

stephanefotso
Motivator

Hello! You can do it using splunk Web, or the splunk CLI, or by editing your props.conf. Just read this: http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports
Thanks

SGF
0 Karma

kpsajin
Explorer

The above url shows how to get data into splunk which is already done. The data is currently coming as source=udp1026 and sourcetype=syslog.

What I require is:
1. Sourcetype for Cisco ASA logs to be changed to cisco:asa and moved to an index cisco_asa.
2. Sourcetype for Cisco ISE logs to be changed to cisco:ise:syslog and moved to an index cisco_ise

Regards
Sajin

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...