Hi,
I am wondering if my question couldn't get answered quickly. I have parsed many very similiar questions and tried to find my way out from the answers. Here is my situation.
I get too many syslog messages on sourec::udp:514 as sourcetype=syslog. Within those messages many are not of interest for my purpose. So I want to get rid of some of them to protect my indexing license against overflow.
As I said, I have done some configuration but I am absolutely unsure if this works and if, how I can control and check the behaviour. Is there somebody out in the field who is willing to answer my questions.
Thanks for your help.
props.conf
[sourcetype::syslog]
TRANSFORMS-asa= asa_teardown_null,asa_built_null
transforms.conf
[asa_teardown_null]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (ASA-6-302014|ASA-6-302016|ASA-6-302018|ASA-6-302021|ASA-6-302304|ASA-6
-305010|ASA-6-305012|ASA-6-603109|ASA-6-617100)
[asa_built_null]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (ASA-6-302003|ASA-6-302009|ASA-6-302013|ASA-6-302017|ASA-6-302020|ASA-6
-305009|ASA-6-305011|ASA-6-603108|ASA-6-302013|ASA-6-302015)
... View more