Hello All,
I have several devices on our network that has one interface/IP address in our DMZ and a management IP address in a securecell. We use the management IP address to send syslogs to a syslog-ng server. Issue I have is that a Qualys scan of our DMZ network shows the DMZ IP address/hostname. So when I run a search for data from dmz-sys-1 in Splunk we do not find it cause the data is collected on mgmt-sys-1.
So I was thinking of using props.conf and transforms.conf to rename the hostname of all 20 of these devices from mgmt-sys-x to dmz-sys-x.
Here is what I was thinking for props.conf
[cisco:asa]
TRANSFORMS-hostname = mgmt-sys-01,mgmt-sys-02,mgmt-sys-03,mgmt-sys-04
And the transforms.conf
[mgmt-sys-01]
hostname = dmz-sys-01
[mgmt-sys-02]
hostname = dmz-sys-02
[mgmt-sys-03]
hostname = dmz-sys-03
[mgmt-sys-04]
hostname = dmz-sys-04
Would that work?
dmz hostname is getting logged in events?
If it is then you can extract that using field extractions and then run a search based on that field. give sample event if you don't know how to extract it.
Hi edwardrose,
do you want to permanently modify logs or do you want to display the correct host at search time?
because in the first case you can use SEDCMD command,
if instead you don't want to permanently modify logs (sometimes it is not allowed) you can use a regex to override hostname value:
| rex field=hostname "mgmt-sys-(?<hostname>dmz-sys-\d+)"
Bye.
Giuseppe
Hello Giuseppe,
I would like to permanently change the hostname.
Thanks
ed
In this case, put in props.conf the following stanza
[cisco:asa]
SEDCMD-hostname = s/mgmt-sys-/dmz-sys-/g
Bye.
Giuseppe
Hello Giuseppe,
So I wasn't exactly specific with the hostnames of the network devices.
the management hostname is like the following
amywanra1
tokwanra1
wvwanra1
wvwanra2
And the DMZ hostname is like the following
vpn-inn
vpn-wv1
vpn-wv2
vpn-hsi
So I am not certain how to make these work properly, except with the example that I used in my original post.
Hi edwardrose,
if you have a situation not so schematic as you showed in the main post, maybe the best solution is ingest logs without transformation (or with only the simple ones) and then managing the transformation at search time, creating a lookup that contains the original hostname and the new one, then you can create an automatic lookup so you'll have the new value.
Bye.
Giuseppe
Hi edwardrose,
if you're satisfied by this answer, please accept and/or upvote it.
Bye, see next time.
Giuseppe
Hello @edwardrose
I think this can be achieved through SEDCMD command. And also I think it better to replace mgmt with dmz only. No need to do any other changes.
The below type of configuration will work for you (props.conf)
[cisco:asa]
SEDCMD-hostname = s/mgmt/dmz/g
Hello @vishaltaneja07011993
So I wasn't exactly specific with the hostnames of the network devices.
the management host name is like the following
amywanra1
tokwanra1
wvwanra1
wvwanra2
And the DMZ hostname is like the following
vpn-inn
vpn-wv1
vpn-wv2
vpn-hsi
So I am not certain how to make these work properly, except with the example that I used in my original post.
@edwardrose
Then there is two options:
1. To right SEDCMD for each value differently like:
SEDCMD-hostname = s/amywanra1/vpn-inn/g
SEDCMD-hostname1 = s/tokwanra1/vpn-wv1/g