Hello all,

We are collecting Cisco firewall logs into Splunk and have installed the "Splunk for Cisco Firewalls" application. There is a particular event id that is generated due to our Websense integration, ASA-5-304001 or PIX-5-304001, which indicates a user has visited a website. To enable better reporting on this type of log, I wanted to create a custom sourcetype of cisco_websense and parse out some of the data. These are the modifications I have made to transforms.conf and props.conf:

Transforms.conf modifications

[force_sourcetype_for_cisco_websense]
DEST_KEY = MetaData:Sourcetype
REGEX = %(ASA|PIX)-5-304001
FORMAT = sourcetype::cisco_websense

[cisco_websense-ip_addresses]
REGEX = \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
FORMAT = host::$1 src_ip::$2 dst_ip::$3

[cisco_websense-URL]
REGEX = (/|http:).*
FORMAT = url::$1

Props.conf modifications

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_websense, force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall

[cisco_websense]
REPORT-websense = ciscosyslog-eventinfo, cisco_websense-ip_addresses, cisco_websense-URL
lookup_table = err_code_lookup error_code
LOOKUP-vendor_info_for_cisco_firewall = cisco_firewall_vendor_info_lookup sourcetype OUTPUT vendor,product

For some reason I cannot figure out, after restarting Splunk the custom sourcetype cisco_websense is not being recognized. Any help with this issue is greatly appreciated.

Thank you.