Mailing List Archive: conf files - configuration assistance

Hey all,

I'm hoping someone can help me out with a configuration issue I've got.

I'm following this guide:

https://docs.splunksecurityessentials.com/data-onboarding-guides/cisco-asa/

It has two configuration files named splunk.conf and
splunk-cisco_asa.conf. I can see that the first file is being executed
as that file contains the input module on 514. And I'm currently
receiving syslogs to /var/log/syslog.

The issue I have is the second configuration file. It's supposed to
parse the logs and find anything that contains ASA-6-****** and put that
into a separate directory. Unfortunately that's not happening. I've
tested the regex against a sample of logs and that's fine.

The commands in that file are the following:

module(load="builtin:omfile")
$Umask 0022

$template asa,"/var/log/rsyslog/cisco/asa/%HOSTNAME%-%$MINUTE%.log"

:msg, regex, "%ASA-\d-\d{6}" ?asa

I'm running rsyslog 8.2001.0 on Ubuntu 20.04 LTS.

Do you have any suggestions why this isn't happening?

Thanks,

Will

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

You can ignore this request now.

I stumbled upon the regex expression checker/generator and I can see the
syntax is different, and that's why it's not working.

Thanks anyway!

On 16/06/2022 12:58, Will BMD via rsyslog wrote:
> Hey all,
>
> I'm hoping someone can help me out with a configuration issue I've got.
>
> I'm following this guide:
>
> https://docs.splunksecurityessentials.com/data-onboarding-guides/cisco-asa/
>
>
> It has two configuration files named splunk.conf and
> splunk-cisco_asa.conf. I can see that the first file is being executed
> as that file contains the input module on 514. And I'm currently
> receiving syslogs to /var/log/syslog.
>
> The issue I have is the second configuration file. It's supposed to
> parse the logs and find anything that contains ASA-6-****** and put
> that into a separate directory. Unfortunately that's not happening.
> I've tested the regex against a sample of logs and that's fine.
>
> The commands in that file are the following:
>
>    module(load="builtin:omfile")
>    $Umask 0022
>
>    $template asa,"/var/log/rsyslog/cisco/asa/%HOSTNAME%-%$MINUTE%.log"
>
>    :msg, regex, "%ASA-\d-\d{6}" ?asa
>
> I'm running rsyslog 8.2001.0 on Ubuntu 20.04 LTS.
>
> Do you have any suggestions why this isn't happening?
>
> Thanks,
>
> Will
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.