Mr. Gibbon, Was wondering if you ever fully vetted your Symantec v12 regex? Thx ... View more

Awesome!! That worked... Now the last issue I'm wrestling with is that the ASA logs are not being properly identified even when I select cisco : asa as the sourcetype. Here's a sample ASA log: Apr 10 06:29:58 1.1.1.1 %ASA-7-106100: access-list np-itf15-FW-RULE-1 permitted udp FW-RULE-2/2.2.2.2(615) -> FW-RULE-3/3.3.3.3(111) hit-cnt 1 first hit [0x7eb55e24, 0xc85ef7a5] Switching between cisco : asa and System Defaults doesn't make a difference. Do I need to build a custom Cisco ASA in props and transform.conf for Cisco ASA like IIS? ... View more

That worked. Just had to change the search to: index="web_logs" source="/logs/web/ex140401.log" Once I did that, I got an "Interesting Fields" list, with the parsed out fields. So that applies to searching individual log files (basically using 'Exploring Data'). How do I apply the new manual-iis to all IIS log files when I go in to search the entire virtual index? When I click 'search' there, the files aren't being parsed per the IIS sourcetype. Thx ... View more

Ledion, Hope you had a nice Thanksgiving holiday. Set the props.conf as follows: cat /opt/hunk/etc/apps/search/local/props.conf [source::/logs/firewall/...] sourcetype = cisco_syslog [source::/logs/web/...] sourcetype = iis [new-iis] REPORT-manual-iis = manual-iis [source::/logs/web/ex140401.log] sourcetype = manual-iis (note - I see two props.conf files being modified. One is /opt/hunk/etc/apps/search/local/props.conf - and the other is /opt/hunk/etc/users/admin/search/local/props.conf) Restarted Splunk and searched on web logs in Virtual Indexes and the events still aren't being parsed correctly. Thx ... View more

And to be safe I restart Splunk after every change ... View more

props.conf: [source::/logs/firewall/...] sourcetype = cisco_syslog [source::/logs/web/...] sourcetype = iis [new-iis] REPORT-manual-iis = manual-iis [source::/logs/web/ex140401.log] sourcetype = iis transforms.conf: [manual-iis] FIELDS = date, time, s-sitename, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-user-agent, sc-status, sc-substatus, sc-win32-status DELIMS = "\t" (I tried with DELIMS = " " as well) Still not parsing. Anything to be gleaned from the search log? ... View more

Thx - let me add and test again ... View more

props.conf now reads: [source::/logs/firewall/...] sourcetype = cisco_syslog [source::/logs/web/...] sourcetype = iis [new-iis] REPORT-manual-iis = manual-iis [source::/logs/web/ex140401.log] sourcetype = iis (pleas note - this is added to the file when I do 'Explore Data') Do I create the transforms.conf file in /hunk/etc/apps/search/local? Thx for all of your help Ledion ... View more

header line: #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status ... View more

anonimized iis log files: 2014-04-01 04:00:00 W3SVC1 x.x.x.x GET /server.txt - 443 - x.x.x.x - 200 0 0 2014-04-01 04:00:00 W3SVC1 x.x.x.x GET /server.txt - 80 - x.x.x.x - 200 0 0 2014-04-01 04:00:00 W3SVC1 x.x.x.x GET /server.txt - 80 - x.x.x.x - 200 0 0 2014-04-01 04:00:01 W3SVC1 x.x.x.x GET /dir_name/dir_name/dir_name/ImapRedirect.aspx - 443 - x.x.x.x Mozilla/5.0+(Linux;+U;+Android+4.0.4;+en-ca;+MB886+Build/7.7.1Q-115_MB886_BELL_FFW-11)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Version/4.0+Mobile+Safari/534.30 200 0 0 2014-04-01 04:00:01 W3SVC1 x.x.x.x GET /favicon.ico - 443 - x.x.x.x Mozilla/5.0+(Linux;+U;+Android+4.0.4;+en-ca;+MB886+Build/7.7.1Q-115_MB886_BELL_FFW-11)+AppleWebKit/534.30+(KHTML,+like+Gecko)+Version/4.0+Mobile+Safari/534.30 404 0 2 2014-04-01 04:00:01 W3SVC1 x.x.x.x GET /server.txt - 443 - x.x.x.x - 200 0 0 2014-04-01 04:00:02 W3SVC1 x.x.x.x GET /dir_name/dir_name/dir_name/dir_name/Default.aspx - 443 - 96.235.28.93 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:28.0)+Gecko/20100101+Firefox/28.0 302 0 0 2014-04-01 04:00:04 W3SVC1 127.0.0.1 POST /dir_name/AuthProviderSoapBinding.asmx - 80 - 127.0.0.1 Plumtree+OpenHTTP+Library+(version+2.0) 200 0 0 2014-04-01 04:00:04 W3SVC1 x.x.x.x POST /portal/server.pt - 443 - 24.3.69.132 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:27.0)+Gecko/20100101+Firefox/27.0 302 0 0 ... View more

Fixed props.conf to: [source::/logs/firewall/...] sourcetype = cisco_syslog [source::/logs/web/...] sourcetype = iis [source::/logs/web/ex140401.log] sourcetype = iis ... View more

The IIS logs are being tagged correctly (sourcetype = iis), where as the Cisco ASA logs have no sourcetype associated with them at all. If I go the 'Explore Data' route and select sourcetype = iis the preview data screen shows the logs being parsed correctly, but once I save and then search the fields aren't parsed like they should be. When I do 'Explore Data' re: Cisco, I set the sourcetype to cisco:asa, but preview data screen doesn't show the ASA logs being parsed as they should. I can switch between System Defaults, Syslog, and cisco:asa and the files never change how they're parsed. ... View more

Thx. Now reads: [source::logs/firewall/...] sourcetype = cisco_syslog [source::logs/web/...] sourcetype = iis Still not parsing (not seeing source/dst IPs, and so on) ... View more

Thx for the reply and info. Created a props.conf file, which now reads: [source::hdfs://hostname:8020/logs/firewall] sourcetype = cisco_syslog [source::hdfs://hostname:8020/logs/web] sourcetype = iis Restarted splunk and when I search on IIS or the ASA logs, they're still not parsing correctly ... View more

After some additional review, for the IIS logs I see they're being tagged as a sourcetype of IIS, but they're not being parsed correctly. Any ideas on how to troubleshoot that issue? The Cisco ASA logs aren't being identified as the correct sourcetype at all. ... View more

That's it! Can't hank you enough for your time and help - greatly appreciated! ... View more

Actually doing just | stats dc(HostName) as "HostCount", dc(Access) as "AccessCount" by User gives me a nice summary table for the user's host count and access count. Looking at the example you sent me (and perhaps I'm not stating with enough clarity so apologizes there) for example for acurry@buttercup games.com, how do you get the unique/distinct count for each values(usage) so it would look like the following: values(usage) - count Borderline - 58 Business - 42 Personal - 46 Unknown - 50 Violation - 50 (count 246 is broken down in each category) for acurry (and every other user as well) Thx ... View more

It does break it down, but I'm not seeing counts per Hostname or per Access - seeing a total count of both Hostname and Access. Thx ... View more

If I wanted to get the count per user would the following be correct: index="main" source=accesscontrol.csv" | eval access_hour=strftime(_time,"%H") | where ( access_hour >= 19 OR access_hour < 7 ) | table _time,User | top 10 User showperc=false Thx ... View more

Kristian, Great suggestion on dc as that worked great as well ... View more

Thx again as that worked perfectly, What I'm trying to do now is to get a breakdown in counts for either HostName or Access as such: User Values(Access) Values(HostName) HostCount AccessCount UserA VPN MachineA 4 1 UserA SSH MachineB 2 4 ETC ... View more

Al, Thx a million for the reply and info. How would I now add counts to the data (for either filed) and then sort by the count? ... View more

Martin, I wanted to expand on this question to pick your brain a little more and run through a scenario. We are planning to consume firewall syslog and we log at debugging level, which as you know, is very chatty. With that, if we have the indexer set as a listener, can we filter using transforms on the indexer, or would the firewall syslog need to go to a forwarder first to have events filtered before the data is indexed? Thx ... View more