Trying to transform syslog data arriving over UDP 514 into either cisco_asa
or cisco_wsa_squid
.
The asa logs work find and transform as I expect, but the ironport logs do not - they remain as syslog.
transforms.conf file
[syslog-Cisco_IronPort]
DEST_KEY = MetaData:Sourcetype
REGEX=src=xxx\.xx\.33\.113
FORMAT = sourcetype::cisco\_wsa\_squid
DEST\_KEY = MetaData:Sourcetype
[syslog-Cisco_ASA]
DEST\_KEY = MetaData:Sourcetype
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(xxx.xx.1.132)[\w\.\-]{2,})\]?\s
FORMAT = sourcetype::cisco\_asa
DEST\_KEY = MetaData:Sourcetype
[source::udp:514]
TRANSFORMS-CHANGESOURCETYPES = syslog-Cisco\_ASA,syslog-Cisco\_IronPort
Thank you in advance ...
Try this I use it for multi device inputs that go to the same port. Put it in the ect\system\local directory, should work for both TCP and UDP
input.conf
#UDP:514 multidevise input
[udp://514]
connection_host = ip
index = syslog
props.conf
#UPD514 device split
[source::udp:514]
MAX_TIMESTAMP_LOOKAHEAD = 20
NO_BINARY_CHECK = 1
TRANSFORMS-changesourcetype = WTI_st, as400FISERV_st, as400COMPASS_st, CiscoBrRt_st, Cisco_IronPort_St
transforms.conf
#Ironport Email
[Cisco-IronPort_st]
REGEX = 111\.x\.x\.x|111\.x\.x\.x
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::Cisco-IronPort
DEST_KEY = MetaData:Sourcetype
#bryans power management equipment
[WTI_st]
REGEX = 111\.x\.x\.x|111\.x\.x\.x
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::WTI
DEST_KEY = MetaData:Sourcetype
[as400FISERV_st]
REGEX = 111\.x\.x\.x
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::as400FISERV
DEST_KEY = MetaData:Sourcetype
Please use the formatting tools (especially code
) when typing config stuff. Regexes tend to get mangled by the input sanitation in the forum software.
Assuming that your backslashes in the confs are not really there - apart from the regexes - and that the x's are just your obfuscation, the only 'problem' I see is that you have duplicated the DEST_KEY in both transforms stanzas. You only need one in each.
Other than that - are you sure that your regex for IronPort matches your events. It sure looks simple enough, but...