All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

CISCO_ESA

cesca
Engager
‎02-05-2013 03:45 AM

Hi,

Hi, I have installed the Splunk_CiscoSecuritySuite and the Splunk_CiscoIronportEmailSecurity.

The problem is that I'm not getting any data with the sourcetype=cisco_esa, I have the following in the inputs.conf:

[udp://514] #regular syslog

disabled = false

sourcetype = syslog

connection_host = dns

[udp://192.168.1.200:514] #ironport syslog

disabled = false

host = 192.168.1.200

sourcetype = cisco_esa

connection_host = dns

However, data from host 192.168.1.200 is being indexed with the [udp://514] index and not the [udp://192.168.1.200:514].

What do I have to change to have it recorded with the sourcetype=cisco_esa?

Thanks a lot,
-- Xavier

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎02-06-2013 10:46 AM

See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

You could also change the port number.

[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If is specified, the specified port will only accept data from that server.
* If is empty - [udp://] - the port will accept data sent from any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎02-06-2013 10:46 AM

See below from inputs.conf, the first stanza is going to pick it up since the remote server is empty and only one stanza per port number is currently supported. You could override the sourcetype on a per event basis using regex. See this link - http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

You could also change the port number.

[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If is specified, the specified port will only accept data from that server.
* If is empty - [udp://] - the port will accept data sent from any server.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with set sourcetype to udp:portnumber

Reply
Solved! Jump to solution

cesca
Engager
‎02-07-2013 03:32 AM

Hi,

It works like a charm ! I didn't know that only one stanza per port number was currently supported, I expected it to take the most specific.

I've followed the examples and I've done it like this:

transforms.conf:

[cisco_esa_parser]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(MachineName)[\w.-]]?\s
FORMAT = sourcetype::cisco_esa
DEST_KEY = MetaData:Sourcetype

props.conf:

[source::udp:514]
TRANSFORMS-changesourcetype = cisco_esa_parser

Thanks for your help,

-- Xavier

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...