Hi,
I've Firepass sending logs to splunk server via udp 514. I've also installed F5 app but none of the built-in searches seems to display any events captured. (eg. F5 FirePass Connections by User)
Is there any thing wrong with the built-in searches?
How can I get it to show up under F5 app?
I also have linux servers sending via 514 and sourcetype as syslog. Thus when Firepass logs came in it is under syslog as well. How do I set its own "sourcetype = firepass" for example?
Thanks in advance.
If FirePass is the only source for udp:514 then you can specify the following in props.conf and restart the splunk server.
[source::udp:514]
sourcetype=firepass_log
If more sources are sending syslog to udp:514 then you can use regular expression to transform the sourcetype using FirePass's ip address (e.g., 192.168.1.253).
in transforms.conf add the following:
[firepass_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:192\.168\.1\.253)
FORMAT = sourcetype::firepass_log
in props.conf add the following:
[source::udp:514]
TRANSFORMS-firepasssoucetype = firepass_sourcetyper
Restart the splunk server. Hope this helps.
Hello,
I have edited transforms.conf and props.conf, but most of my data is not showing up in the F5 Access Dashboard.
For example I can only see 4 or 5 users in the Connections by User in the last 24 hours chart, but on the firepass, it shows that there was over a 100 connected in the same timeframe..
Thanks in advance