Solved: SourceType using Props.conf and Transforms.conf

rmcdougal · ‎06-07-2012

Ok, so here is the deal. I will have quite a few different types of events coming through on UDP 514 and need to sourcetype them differently. I have read enough to find that this is supposed to be possible, however I can't get it to work. Here is what I have so far.

To start with here is a sample event stream.

Jun  7 14:25:25 10.220.5.27 8417003: *Jun  7 14:22:01.037 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.115(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:27 10.220.5.27 8417004: *Jun  7 14:22:02.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.116(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:28 10.220.5.27 8417005: *Jun  7 14:22:03.493 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.52(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:29 10.220.5.27 8417006: *Jun  7 14:22:04.905 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.71(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:31 10.220.5.27 8417007: *Jun  7 14:22:06.445 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.152(137) -> 10.222.71.255(137), 2 packets
Jun  7 14:25:33 10.220.5.27 8417008: *Jun  7 14:22:08.325 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.54(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:34 10.220.5.27 8417009: *Jun  7 14:22:09.393 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.66(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:36 10.220.5.27 8417010: *Jun  7 14:22:12.093 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.49(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:38 10.220.5.27 8417011: *Jun  7 14:22:13.341 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.64(5510) -> 255.255.255.255(5510), 1 packet
Jun  7 14:25:39 10.220.5.27 8417012: *Jun  7 14:22:14.693 cst: %SEC-6-IPACCESSLOGP: list Check-TCP-UDP permitted udp 10.222.71.55(5510) -> 255.255.255.255(5510), 1 packet

Now what I would like to do is to use the device IP address (10.220.5.27) as a means to sourcetype this type of event. This is what I have in my props and transforms right now on the indexer

props.conf

[source::UDP:514]
TRANSFORMS-transCisco = transCisco

transforms.conf

[transCisco]
REGEX=10.220.5.27
FORMAT= sourcetype::cisco_syslog
DEST_KEY = MetaData:Sourcetype

richprescott · ‎06-07-2012

Try this stanza instead:

[transCisco] REGEX=(10\.220\.5\.27) FORMAT= sourcetype::$1 DEST_KEY = MetaData:Sourcetype

View solution in original post

DrewO · ‎06-07-2012

Your REGEX needs to escape the periods to match an actual period instead of the REGEX special character .

should be REGEX = 10\.220\.5\.27

Otherwise looks good.

richprescott · ‎06-07-2012

Try this stanza instead:

[transCisco] REGEX=(10\.220\.5\.27) FORMAT= sourcetype::$1 DEST_KEY = MetaData:Sourcetype

rmcdougal · ‎06-13-2012

Figured it out. "UDP" was capitalized in props.conf

Should have been like this

[source::udp:514] TRANSFORMS-changesourcetype = change_to_cisco_syslog

rmcdougal · ‎06-12-2012

Thank you for your help!

Unfortunately this is still not working, it is still being put into Splunk as sourcetype UDP:514. Here is my current props and transforms configs

[props.conf]

[source::UDP:514] TRANSFORMS-changesourcetype = change_to_cisco_syslog

[Tranforms.conf]

[change_to_cisco_syslog] REGEX = (10\.220\.5\.27) FORMAT= sourcetype::cisco_syslog DEST_KEY = MetaData:Sourcetype

SourceType using Props.conf and Transforms.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases