Skip to content

Commit

Permalink
Update ASA log path to account for events with no hostname
Browse files Browse the repository at this point in the history
* Update ASA log path and add filter to detect events with no hostname included
  • Loading branch information
Mark Bonsack committed Jan 31, 2020
1 parent a1198b8 commit f32c9a1
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
9 changes: 7 additions & 2 deletions package/etc/conf.d/filters/cisco/asa.conf
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
filter f_cisco_asa {
message('^%ASA-\d+-\d{1,10}: ');
};
message('^%ASA-\d+-\d{1,10}: ') or
match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
};

filter f_cisco_asa_nohost {
match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR"));
};
6 changes: 5 additions & 1 deletion package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ log {
};
parser {p_add_context_splunk(key("cisco_asa")); };
parser (compliance_meta_by_source);
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
if (filter (f_cisco_asa_nohost)) {
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); };
} else {
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
};

{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no")) }}
destination(d_hec);
Expand Down

0 comments on commit f32c9a1

Please sign in to comment.