Hi all,
I've got the Cisco Firewall Addon (latest version with Security Suite) in and working, however I notice that it isn't recognising the host name properly; all events are showing as being from the box that my light forwarder is on. (host=myforwarderboxname)
It looks like this stanza in the transforms.conf will be the issue
[cisco_firewall_hostoverride]
DEST_KEY = MetaData:Host
REGEX = \S+\t\S+\s(.*)\t+
FORMAT = host::$1
However, I tried changing the regex to \s\d+:\d+:\d+\s(.*)\s\% (works on a field extraction) and restarting but this didn't work.
View source from splunk shows:
Sep 18 13:10:02 myfirewall %ASA-6-302014: Teardown TCP connection 54647599 for outside....
Is anyone else doing the same thing, and if so, how did you fix it? 🙂
Thanks!
EDIT:
Right, after some brain-ache, I found that I can fix this by editing:
/opt/splunk/etc/apps/Splunk_CiscoFirewalls/default/props.conf
And appending syslog-host on the end of the first transforms line, eg:
[source::...cisco]
TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall, syslog-host
There must be a foolproof way of doing this... I know that if I upgrade the app, then this will probably get wiped out.
Do I need to add a one-liner in the local folder in a new props.conf?
ie: TRANSFORMS-syslog-host
... View more