An easier method, as opposed to doing this for each host is to use in your regex %ASA which is included in every cisco asa event. Then in your props.conf you can just use :
[source::udp:514] (assuming you are receiving the data straight from syslog
TRANSFORMS-firewall_cisco = set_index_firewall_cisco_asa, set_sourcetype_firewall_cisco_asa
Then you won't have to configure it for each and every firewall, it will only apply to syslog data that contains the string %ASA in it. Also, will be more efficient, since your regex is more specific than "."
... View more