I've just installed the Splunk Add-on for Cisco ESA and looking to have the correct sourcetypes and field extractions. Am I simply appending my C:\Program Files\Splunk\etc\system\local\
props and transforms with what is contained in the C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\default
props and transforms files?
Hi asofo,
Details of Configuration File precedence can be found here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles
You can extend the props.conf and tranforms.conf files at:
C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\local
or
C:\Program Files\Splunk\etc\system\local\
Depending on the context of your installation either may be preferred.
Don
Hi asofo,
Details of Configuration File precedence can be found here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Wheretofindtheconfigurationfiles
You can extend the props.conf and tranforms.conf files at:
C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\local
or
C:\Program Files\Splunk\etc\system\local\
Depending on the context of your installation either may be preferred.
Don
Hi, I've tried both of the above methods and I'm still receiving the syslog data as sourcetype syslog with no fields. I have to be missing a step. Here's what I have done:
• Our Messaging Team configured the IronPort to send mail_logs to our indexer via syslog.
• I installed the Splunk Add-on for Cisco ESA.
• Added the all stanzas contained in the props.conf and transforms.conf C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-esa\default to the props.conf and transforms.conf located in C:\Program Files\Splunk\etc\system\local.
• Restarted Splunk.
Hi asofo,
As part of the Add on for Cisco ESA there should be a bundled sourcetype "cisco:esa:textmail".
if you can ensure your input is configured for this sourcetype the fields should be extracted for you automatically.
Check what sourcetype your specific data input is set to. This can be achieved in Splunk Web by navigating to Settings -> Data -> Data Inputs.
If you would like to modify via .conf files. The inputs.conf file should have the settings you need to modify to get things set up.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Let me know how you go.
Don
Hi,
Thanks for your help. I had been setting it to the wrong sourcetype, cisco:esa, which was renaming it to cisco:esa:legacy and in turn using a different set of field extractions. This is why none of the panels in the Cisco Security Suite were populating data. I got it going by adding the stanza to my props.conf file to set the sourcetype as cisco:esa:textmail :
[host::Host-IP-Address]
TRANSFORMS-changesourcetype = cisco_esa_textmail_sourcetype
and then added this stanza to my transforms.conf file:
[cisco_esa_textmail_sourcetype]
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)[?(Host-IP-Address)[\w.-]]?\s
FORMAT = sourcetype::cisco:esa:textmail
DEST_KEY = MetaData:Sourcetype
Thanks again!