I am currently running Splunk 6.2.3 with the Splunk Add-on for Cisco ASA version 3.2.4.
When I look at Cisco ASA firewall events (sourcetype=cisco:asa) I have noticed that the **dvc** field is properly populated with the firewall context. However, this is not the case with the **host** field. The following are examples:
source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = admin
host = admin
source = /syslog_hot/splunk/asa/ent_firewall.log
dvc = campus
host = campus
source = /syslog_hot/splunk/asa/asavpn.log
**dvc = 5585vpn
host = cc-syslog01.mycompany.edu**
I attempted looking for entries in the Splunk Add-on for Cisco ASA transforms.conf which extract the host field, but did not find one. It thus appears that the host field is using the default transforms.conf located in /opt/splunk/etc/system/default.
If I am understanding this correctly, the REGEX in the default transforms.conf is not matching, and as a result the host field is being populated with the hostname of the syslog server.
What would be the best solution for this? Should I create entries in the local/transforms.conf and local/props.conf of the add-on to properly extract/assign the host field?
Thank you.
↧