diff --git a/package/etc/conf.d/filters/cisco/asa.conf b/package/etc/conf.d/filters/cisco/asa.conf index bbd3157..a7ac9b7 100644 --- a/package/etc/conf.d/filters/cisco/asa.conf +++ b/package/etc/conf.d/filters/cisco/asa.conf @@ -1,3 +1,8 @@ filter f_cisco_asa { - message('^%ASA-\d+-\d{1,10}: '); -}; \ No newline at end of file + message('^%ASA-\d+-\d{1,10}: ') or + match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); +}; + +filter f_cisco_asa_nohost { + match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); +}; diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl index 0749e68..a8bf9c5 100644 --- a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl @@ -27,7 +27,11 @@ log { }; parser {p_add_context_splunk(key("cisco_asa")); }; parser (compliance_meta_by_source); - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + if (filter (f_cisco_asa_nohost)) { + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; + } else { + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; + }; {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_ASA_HEC" "no")) }} destination(d_hec);