I want to filter out everything in my massive firewall logs except those events with event codes for a few important event types. Here's what I have right now:
inputs.conf
[monitor:///data/HOSTS/edge_firewall/edge/.../*.log]
sourcetype = cisco:asa
host_segment = 5
index = edge_firewall
props.conf
[source::/data/HOSTS/edge_firewall/edge/.../*.log]
TRANSFORMS-set = Edge_Null,Edge_Filter
transforms.conf
[Edge_Null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[Edge_Filter]
REGEX = \[.*(305010|305011|305012|302014|302016).*\]
DEST_KEY = queue
FORMAT = indexQueue
I previously used `[source::///data/HOSTS/edge_firewall/edge/.../*.log]` as a <SPEC> in props.conf because it matched what is used in inputs.conf. When I did this, everything in the source was being indexed, not just the parts in the regex, so I know the inputs.conf stanza works. After changing it to what you see above, however, nothing from that source is sent, which leads me to believe it is all being sent to nullQueue and either my regex in [Edge_Filter] is invalid or nothing is getting past [Edge_Null].
Why isn't this working? What have I done wrong and how can I fix it? Would it be wiser to use an inverse regex (i.e. `^(?!.*(305010|305011|305012|302014|302016))`) in [Edge_Null] instead?
↧