Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help filtering Cisco ASA Logs at index time.

balbano
Contributor
‎02-02-2012 10:22 AM

Hey Guys,

I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data.

In a very simple way, let me explain what I need done.

Problem: I have Cisco ASA Logs sent to this syslog-ng server.

I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed: 

ASA-6-302016
ASA-6-302015
ASA-7-609001
ASA-7-609002
ASA-6-302013
ASA-6-302014
ASA-6-302020
ASA-6-302021
ASA-6-305012
ASA-6-305011

Everything else other than this I would like to index to a certain specified index.

Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed.

The documentation is a little tricky for me to understand so maybe an example will make me understand better.

Appreciate any help you can provide.

Thanks.

Brian

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-06-2012 01:33 PM 
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution

chris_moody
Engager
‎03-25-2013 03:07 PM

or - better yet, why not save yourself the unnecessary log traffic and load on the ASA anyway and just turn those message numbers off at the source.

ex>
asa-firewall# conf t

asa-firewall(conf)# no logging message 302016

asa-firewall(conf)# no logging message 302015

etc.

-Chris

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-06-2012 01:33 PM 
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue
Reply
Solved! Jump to solution

cvajs
Contributor
‎03-19-2012 05:58 AM

sorry, once again this forum code is a pita and takes a single \ as a special char.

it should be
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma
Reply
Solved! Jump to solution

cvajs
Contributor
‎03-16-2012 03:35 PM

your regex will fail with the 8.4+ ASA (need to verify actual revs), it comes in with %ASA-session- in it,
see http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change

so you you might modify the regex to be
%ASA-(session-)?[67]-(code|code|code|code)
or
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-06-2012 01:50 PM

glad to help!

0 Karma
Reply
Solved! Jump to solution

balbano
Contributor
‎02-06-2012 01:46 PM

Thank You!!!

0 Karma
Reply
Solved! Jump to solution

balbano
Contributor
‎02-06-2012 08:57 AM

Anything guys?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...