Running 6.5.0.
Attempting to use a Heavy Forwarder to forward a subset of cisco:ASA events to Splunk indexers, while sending ALL events to external syslog Servers. The filter to the indexers works, but unable to get ALL events to forward to the syslog servers. Have tried many combinations and permutations in the involved .conf files, but current configs are shown below. The effect should be that only one ASA-6 log level message is sent to the indexers, while ALL log level 6 messages are sent to the syslog servers. Only the 725003 log level 6 message is being sent to the syslog servers.
IN PROPS.CONF
------------------
[cisco:asa]
TRANSFORMS-asa = cisco_asa_elim_specific_msg_id, cisco_asa_indexers, cisco_asa_syslog_routing
#
IN TRANSFORMS.CONF
------------------
[cisco_asa_elim_specific_msg_id]
REGEX = .*?(ASA-4-419002):.*
# REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
#
#
## Keep requied Log levels and message ids and send to splunk indexes
[cisco_asa_indexers]
REGEX = ((ASA-2|ASA-3|ASA-4|ASA-1|ASA-5|ASA-6-725003))
DEST_KEY = queue
FORMAT = indexQueue
#
## route all events to other servers
[cisco_asa_syslog_routing]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogServer1, syslogServer2
↧