I'm not an advanced splunk user...just a little regex here and there, but I use it for searching my log data for my lab testing devices. I recently downloaded the Cisco Security Suite and Cisco Firewalls apps a couple of days ago (v.2.0). For some reason they are not parsing out the logs correctly, but I may need to edit the regex and file extraction for my uses. My logs that I want to normalize into a common log format look like the following:
host.domain.com Feb 09 2013 21:33:39 HOSTNAME01 : %FWSM-5-106100: access-list VLAN20_IB permitted tcp VLAN20/X.X.X.X(39876) -> VLAN40/Y.Y.Y.Y(25) hit-cnt 1 (first hit) [0x16fc583b, 0x1b2ed17e]
host.domain.com Feb 09 2013 21:35:39 HOSTNAME01 : %FWSM-5-106100: access-list VLAN90_IB denied tcp VLAN90/X.X.X.X(39876) -> VLAN50/Y.Y.Y.Y(80) hit-cnt 1 (first hit) [0x16fc583b, 0x1b2ed17e]
I'm somewhat new to this (so please go easy). I've read countless things now, so much so, that my head is spinning. Does anyone have any pointers on how I can get these normalized into searchable fields. It would be nice to have fields that go like this:
fwsm_fqdn=host.domain.com, fwsm_timestamp=Feb 09 2013 21:33:39, fwsm_hostname=HOSTNAME01, fwsm_severity=5, fwsm_event-id=106100, fwsm_acl=VLAN20_IB, fwsm_action=permitted, fwsm_protocol=tcp, fwsm_src_int=VLAN20, fwsm_src=X.X.X.X, fwsm_src-port=39876, fwsm_dst_int=VLAN40, fwsm_dst=Y.Y.Y.Y, fwsm_dst-port=80
Is this possible, or does anyone know how I can go about doing this? I may be completely missing things here, but I think this can somehow be done...?
Thanks for any help!!
... View more