- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Heavy forwarder filters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heavy forwarder filters
Hi,
I want to filter some events in my heavy forwarder device. I want discart events what contain "PIX" but it is not filtering anything.
I modified follow files:
$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor:///var/log/PIX515]
blacklist = \.(gz)
disabled = false
followTail = 0
host = password.enagas.eng
sourcetype = network_devices
$SPLUNK_HOME/etc/system/local/props.conf
[source:://var/log/REDES]
TRANSFORMS-null= setnull
$SPLUNK_HOME/etc/system/local/transforms.conf
[setnull]
REGEX = .*PIX-1.*
DEST_KEY = queue
FORMAT = nullQueue
How can I know what is happening?
UPDATE:
Hi,
I did a mistake, my configuration is:
$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor:///var/log/REDES]
blacklist = \.(gz)
disabled = false
followTail = 0
host = password.enagas.eng
sourcetype = network_devices
$SPLUNK_HOME/etc/system/local/props.conf
[source:://var/log/REDES]
TRANSFORMS-null= setnull
I chose that sourcetype because I am doing testing with configuration.
Your suggestion is to changed in props.conf
[source:://var/log/REDES] to [sourcetype::network_devices]
UPDATE2:
I rewrote my configuration, but it still not working:
$SPLUNK_HOME/etc/system/local/inputs.conf
[monitor:///var/log/REDES]
blacklist = \.(gz)
disabled = false
followTail = 0
host = password.enagas.eng
sourcetype = cisco
$SPLUNK_HOME/etc/system/local/props.conf
[cisco]
TRANSFORMS-null= setnull
$SPLUNK_HOME/etc/system/local/transforms.conf
[setnull]
REGEX = .*PIX-1.*
DEST_KEY = queue
FORMAT = nullQueue
I want filter next log message:
Mar 19 16:48:11 72.16.30.100 %PIX-1-106021: Deny UDP reverse path check from
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the correct props.conf stanza? (i.e. source:://var/log/REDES)? It seems to differ from the path in the monitor in inputs.conf.
It is probably a good idea to make use of the sourcetype, rather than the source attribute - but perhaps you've been using the network_devices sourcetype for totally different types of log as well.
Usually, a sourcetype should describe an event format, which so that all those things like field extractions can be made simpler. Grouping by function is better to do on the index level (i.e. separate indexes for network, web, windows_events etc etc. That approach allows you to set access restrictions easier as well...
UPDATE:
Four small things;
1) Use the 'code' button that looks like 1010101 when posting example of code that may contain special characters.
2) in props.conf it should be [network_devices]. It's just one of those special things. source and host still requires the :: notation.
3) The idea of using the sourcetype is more of a mindset thing; if you have the same type of log from several different hosts they should have the same sourcetype, as you'll probably want to extract the same fields from them. Having a too wide sourcetype definition will send too many events through unnecessary field extraction regexes that will never match. Having a too narrow sourcetype definition will force you to duplication the extraction configurations.
4) Update your original questions (or answers) rather than creating new ones.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see updates above
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
