I'm trying to route syslog data coming in on UDP port 5140 to several different sourcetype/index combinations. Here is a snippet of each file. Can anyone give me an idea of where the problem might be? Is what I'm trying to do too complicated?
inputs.conf
[udp://5140]
connection_host = ip
index = syslog
props.conf
[source::udp:5140]
TRANSFORMS-syslog = default_st, default_idx, cisco_asa_st, cisco_ios_st, cisco_nx_st, f5_bigip_syslog_st, riverbed_steelhead_st, cisco_asa_idx, cisco_ios_idx, cisco_nx_idx, f5_bigip_syslog_idx, riverbed_steelhead_idx
transforms.conf
[default_st]
REGEX = \d+\.\d+\.\d+\.\d+
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::unknown_device
DEST_KEY = MetaData:Sourcetype
[default_idx]
REGEX = \d+\.\d+\.\d+\.\d+
SOURCE_KEY = MetaData:Host
FORMAT = syslog
DEST_KEY = _MetaData:Index
[cisco_asa_st]
REGEX = ||
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::cisco:asa
DEST_KEY = MetaData:Sourcetype
[cisco_ios_st]
REGEX = |||||||||||||||||||||||||||||
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::cisco:ios
DEST_KEY = MetaData:Sourcetype
[cisco_nx_st]
REGEX = ||||||
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::cisco:nx
DEST_KEY = MetaData:Sourcetype
[f5_bigip_syslog_st]
REGEX = |||||||
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::f5:bigip:syslog
DEST_KEY = MetaData:Sourcetype
[riverbed_steelhead_st]
REGEX = |
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::riverbed_steelhead
DEST_KEY = MetaData:Sourcetype
[cisco_asa_idx]
REGEX = ||
SOURCE_KEY = MetaData:Host
FORMAT = syslog
DEST_KEY = _MetaData:Index
[cisco_ios_idx]
REGEX = |||||||||||||||||||||||||||||
SOURCE_KEY = MetaData:Host
FORMAT = syslog
DEST_KEY = _MetaData:Index
[cisco_nx_idx]
REGEX = ||||||
SOURCE_KEY = MetaData:Host
FORMAT = syslog
DEST_KEY = _MetaData:Index
[f5_bigip_syslog_idx]
REGEX = |||||||
SOURCE_KEY = MetaData:Host
FORMAT = f5
DEST_KEY = _MetaData:Index
[riverbed_steelhead_idx]
REGEX = |
SOURCE_KEY = MetaData:Host
FORMAT = riverbed
DEST_KEY = _MetaData:Index
↧