Hey all,
I'm hoping someone can help me out with a configuration issue I've got.
I'm following this guide:
https://docs.splunksecurityessentials.com/data-onboarding-guides/cisco-asa/
It has two configuration files named splunk.conf and
splunk-cisco_asa.conf. I can see that the first file is being executed
as that file contains the input module on 514. And I'm currently
receiving syslogs to /var/log/syslog.
The issue I have is the second configuration file. It's supposed to
parse the logs and find anything that contains ASA-6-****** and put that
into a separate directory. Unfortunately that's not happening. I've
tested the regex against a sample of logs and that's fine.
The commands in that file are the following:
module(load="builtin:omfile")
$Umask 0022
$template asa,"/var/log/rsyslog/cisco/asa/%HOSTNAME%-%$MINUTE%.log"
:msg, regex, "%ASA-\d-\d{6}" ?asa
I'm running rsyslog 8.2001.0 on Ubuntu 20.04 LTS.
Do you have any suggestions why this isn't happening?
Thanks,
Will
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
