Hi,
I have cisco ASA and cisco ISE syslogs coming to splunk on udp1026 port. I would like to differentiate the sourcetype and index for both.
Cisco ASA logs source type has to be changed as cisco:asa and moved to an index called cisco_asa.
Cisco ISE logs source type has to be changed to cisco:ise:syslog and moved to an index called cisco_ise.
Please help to build the props and transforms for the above.
Regards
Sajin
If the answer given by @stephanefosto doesn't work (and I expect it won't but I give him karma for a clever option to try), then you will have to either give up your goal to have each in a separate index or on your goal to have them both come to the same port. If you go with the latter, then do just as @stepanefosto said, but have 2 different ports. If you go with the former, then you can do a sourcetype
override like this:
In transforms.conf
:
[set_sourcetype_cisco_asa]
REGEX = YOUR REGEX HERE maybe something like (?:10.0.1.21|10.0.1.23)
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype
[set_sourcetype_cisco_ise]
REGEX = YOUR REGEX HERE maybe something like (?:10.0.1.21|10.0.1.23)
FORMAT = sourcetype::cisco:ise
DEST_KEY = MetaData:Sourcetype
In props.conf
:
[source::udp:1026]
TRANSFORMS-cisco_sourcetype_overrides = set_sourcetype_cisco_asa set_sourcetype_cisco_ise
You will have to deploy these files to your indexers (or heavy forwarder) and it will NOT change anything that is already in Splunk.
I was also thinking to do the below.
[set_sourcetype_ciscoasa]
SOURCE_KEY = MetaData:Host
REGEX = ^host::192.168.1.251$
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype
[set_sourcetype_ciscoise]
SOURCE_KEY = MetaData:Host
REGEX = ^host::192.168.1.250$
FORMAT = sourcetype::cisco:ise:syslog
DEST_KEY = MetaData:Sourcetype
[source::udp:1026]
TRANSFORMS-set_sourcetype_sonicwall = set_sourcetype_ciscoasa set_sourcetype_ciscoise
But still how do I move it to a different index.
I will try the first option given by @stephanefotso and if that doesn' help, will look at the later.
Will update you all today.
Regards
Sajin
Re-read my answer; it is a COMPLETE answer. If suggestion by @stephanefotso does not work, then it is NOT POSSIBLE unless you split ports and put one on 1026 and the other on another port. Then you will have 2 entries in inputs.conf
and each one will have a different index=
line
So did anything work out?
I did not try editing anything in the props and transforms. I have used splunk add on for Cisco ASA, splunk add on for Cisco ISE and Cisco Network Add on. After that I changed the configuration in the data inputs page in splunk. Have created udp inputs with specific ip address and syslog ports and manually defined the source type. It has translated the source type for all the events to cisco:asa, cisco:ise:syslog and cisco:ios respectively and I am able to get the cisco apps working fine.
Please let me know if there will be any operational impact or technical difficulty in implementing the Splunk ES with this kind of data input configurations.
Thanks a lot for the suggestions.
Regards
sajin
OK,, so you used the split-port solution. The TAs
should use the sourcetype
as the basis for almost everything so as long as you are keeping with the naming conventions that they used, you should be fine. Please "Accept" an answer to close off this question.
ok. I understand.
The acceptFrom = < parameter>
in your inputs.conf, let you list a set of networks or addresses to accept connections from.
Means, if you exactly know which machine is sending cisco ASA syslog, you could be able to do something like this:
[udp://<remote server>:<port>]
acceptFrom =10.1.2.3
sourcetype = cisco:asa
index = cisco_asa
source=udp1026
.......
Do the same for your Cisco ISE logs
Thanks
Hello! You can do it using splunk Web, or the splunk CLI, or by editing your props.conf. Just read this: http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports
Thanks
The above url shows how to get data into splunk which is already done. The data is currently coming as source=udp1026 and sourcetype=syslog.
What I require is:
1. Sourcetype for Cisco ASA logs to be changed to cisco:asa and moved to an index cisco_asa.
2. Sourcetype for Cisco ISE logs to be changed to cisco:ise:syslog and moved to an index cisco_ise
Regards
Sajin