Trying to transform syslog data arriving over UDP 514 into either cisco_asa or cisco_wsa_squid .
The asa logs work find and transform as I expect, but the ironport logs do not - they remain as syslog.
transforms.conf file
[syslog-Cisco_IronPort]
DEST_KEY = MetaData:Sourcetype
REGEX=src=xxx\.xx\.33\.113
FORMAT = sourcetype::cisco\_wsa\_squid
DEST\_KEY = MetaData:Sourcetype
[syslog-Cisco_ASA]
DEST\_KEY = MetaData:Sourcetype
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(xxx.xx.1.132)[\w\.\-]{2,})\]?\s
FORMAT = sourcetype::cisco\_asa
DEST\_KEY = MetaData:Sourcetype
props.conf file
[source::udp:514]
TRANSFORMS-CHANGESOURCETYPES = syslog-Cisco\_ASA,syslog-Cisco\_IronPort
Thank you in advance ...
... View more