Good day,
I'm trying to filter connection events from FMC eStreamer, i.e. I do not need Allowed connections in Splunk. I thought I had lurked enough into Splunk documentation and Community, but I guess - not. 😞 So I need help from senior admins.
I had created in /opt/splunk/etc/apps/TA-eStreamer/local
props.conf
[cisco:estreamer:data]
rename = fmc
TRANSFORMS-send-data-to-null-queue = setnull
transforms.conf
[setnull]
REGEX = (fw_rule_action=Allow)
DEST_KEY = queue
FORMAT = nullQueue
Restarted Splunk, and yet I still get
rec_type=71 file_count=0 client_app="SSL client" mac_address=00:00:00:00:00:00 dest_ip=... dest_port=443 sec_intel_ip=N/A
...
ssl_expected_action=Unknown app_proto=HTTPS ssl_server_name="" ssl_cert_fingerprint=0000000000000000000000000000000000000000 has_ipv6=1 fw_rule_action=Allow ssl_rule_id=0
...
I'm using latest eStreamer eNcore
https://splunkbase.splunk.com/app/3662/
... View more