Hi,
I'm new to Splunk and have installed the Enterprise trial on Windows and pointed two Cisco ASA firewalls at it. Logs are coming through fine and I've used props.conf and transforms.conf to tag them with an appropriate Index and SourceType.
props.conf
[host::192.168.5.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
[host::192.168.6.2]
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
transforms.conf
[set_index_firewall_cisco_asa]
DEST_KEY = _MetaData:Index
FORMAT = firewall_cisco
REGEX = .
[set_sourcetype_firewall_cisco_asa]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::cisco:asa
REGEX = .
My question is about the scaleability of my configuration. It seems a little clunky to have to edit the config in the way that I have for each and every device I want Splunk to retrieve the logs of over the deafult TCP Syslog port. (I'm assuming I will want a different Index and SourceType for each device type).
Is there a performace hit with the config I have used (if so, is it big enough to worry about)?
Can anyone suggest a better way of achieving what I want?
Thanks : )
An easier method, as opposed to doing this for each host is to use in your regex %ASA which is included in every cisco asa event. Then in your props.conf you can just use :
[source::udp:514] (assuming you are receiving the data straight from syslog
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Then you won't have to configure it for each and every firewall, it will only apply to syslog data that contains the string %ASA in it. Also, will be more efficient, since your regex is more specific than "."
An easier method, as opposed to doing this for each host is to use in your regex %ASA which is included in every cisco asa event. Then in your props.conf you can just use :
[source::udp:514] (assuming you are receiving the data straight from syslog
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Then you won't have to configure it for each and every firewall, it will only apply to syslog data that contains the string %ASA in it. Also, will be more efficient, since your regex is more specific than "."