Getting Data In

Best practice for using syslog (Cisco ASA en others) from forwarder (Kiwi Deamon)

Starlette
Contributor

Hai There,

I am dealing with a forwarder to indexer which is reading a kiwi directory with several types of devices. Mainly Cisco router/swithes ASA's and Cisco FW modules, also some other stuff. Events are flowing in with sourcetype as the orig filename.

I extacted the hosts with hostoverides, and overided some sourcetypes ( asa, pix etc)

Question is :

What is Field extracted for syslog and Cisco_syslog, I am now using overiding in index time but looks like I am re-ineventing the wheel for syslog (cisco)syslog) Are those default extractions somewhere in the install?

Cheers Dutchy

Tags (1)

Starlette
Contributor

Hai BunnyHop,

Thanks,

For somme reason I overlooked this DIR, now it make sense that there are no extractions for Cisco ( exept in the security ap) Cisco_syslog is using :

[syslog-extractions] REGEX = \s([^\s[]+)(?:[(\d+)])?:\s FORMAT = process::$1 pid::$2

Thats it,,,I am already using the security app for asa and FWSM, but have to reinent the wheel for router/switch logs can you share what you have sofar btw? thanks, Dutchy

0 Karma

BunnyHop
Contributor

You will find the extractions that the Cisco_Syslog sourcetype is using on the default folder:

%SPLUNK%\etc\system\default\

files are props.conf and transforms.conf

These are basis extractions. There are Cisco apps that does additional extractions, but it will probably be compatible with the newer devices, rather than the older ones. So if you have PIX, that app won't help you.

http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+Cisco+Security

I have created my own inline extractions using regex. If you want to do the same, you would create them on the local folder. The settings in this folder takes precedence over the default.

%SPLUNK%\etc\system\local\

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...