Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help filtering Cisco ASA Logs at index time.

balbano
Contributor
‎02-02-2012 10:22 AM

Hey Guys,

I am trying to understand how the props.conf and transforms.conf work when manipulating/filtering data.

In a very simple way, let me explain what I need done.

Problem: I have Cisco ASA Logs sent to this syslog-ng server.

I would like to setup a monitor point on the folder containing the logs. However, I want to exclude the following events from getting indexed: 

ASA-6-302016
ASA-6-302015
ASA-7-609001
ASA-7-609002
ASA-6-302013
ASA-6-302014
ASA-6-302020
ASA-6-302021
ASA-6-305012
ASA-6-305011

Everything else other than this I would like to index to a certain specified index.

Can someone tell me from start to finish how I would do this as for as specifying the monitor path to get indexed and the appropriate props.conf/transforms.conf configuration specifications that are needed.

The documentation is a little tricky for me to understand so maybe an example will make me understand better.

Appreciate any help you can provide.

Thanks.

Brian

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-06-2012 01:33 PM 
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution

chris_moody
Engager
‎03-25-2013 03:07 PM

or - better yet, why not save yourself the unnecessary log traffic and load on the ASA anyway and just turn those message numbers off at the source.

ex>
asa-firewall# conf t

asa-firewall(conf)# no logging message 302016

asa-firewall(conf)# no logging message 302015

etc.

-Chris

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-06-2012 01:33 PM 
 props.conf

 [yoursourcetype]
 TRANSFORMS-null = setnull

 transforms.conf

 [setnull]
 REGEX = ASA-[67]-(302016|302015|609001|609002|302013|302014|302020|302021|305012|305011)
 DEST_KEY = queue
 FORMAT = nullQueue
Reply
Solved! Jump to solution

cvajs
Contributor
‎03-19-2012 05:58 AM

sorry, once again this forum code is a pita and takes a single \ as a special char.

it should be
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma
Reply
Solved! Jump to solution

cvajs
Contributor
‎03-16-2012 03:35 PM

your regex will fail with the 8.4+ ASA (need to verify actual revs), it comes in with %ASA-session- in it,
see http://splunk-base.splunk.com//answers/42936/cisco-asa-logging-format-change

so you you might modify the regex to be
%ASA-(session-)?[67]-(code|code|code|code)
or
%ASA-(\w+-)?[67]-(code|code|code|code)

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎02-06-2012 01:50 PM

glad to help!

0 Karma
Reply
Solved! Jump to solution

balbano
Contributor
‎02-06-2012 01:46 PM

Thank You!!!

0 Karma
Reply
Solved! Jump to solution

balbano
Contributor
‎02-06-2012 08:57 AM

Anything guys?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...