How do I change the source field in a file monitor source?

Lyle Cowart

I'm collecting files written by syslog from Cisco ASA and I'd like to change the source from the filename to a value extracted from _raw. It's not possible right now to send the syslog directly to the edge node.

I've tried evaling source to __raw.match(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/) The output on value expression seems right but the source field doesn't change. Is this possible?

Lyle Cowart

Hi Jon,

So I figured out the issue was related to the eval sourcetype!="cisco:asa". Since the source wasn't from (I'm assuming Splunk) this field was never added. I adjusted it to /\s%ASA-/.test(_raw)==false so it would drop the non ASA events.

Jon Rust

Can you share a screencap of the exact set-up you're using?

From the original post, I don't think you're using match properly. The match method will return several objects in an array. The first object in the array is the segment that matched, the second would be the first group, proceeding through the rest of the groups (if any) after that.

In your case I think you'd want _raw.match(/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/)[0]

Lyle Cowart

Okay. I fixed that eval. It now returns just the value instead of an array of values. The green bit is what I'm trying to match, and replace the "source" field with so that instead of the file path to the file, it is the IP of the original syslog source.

When I run it through a sample file, it seems to keep the original source value for the file location instead of the IP address matched in the eval:

I'm sure I'm doing something wrong or I'm not even sure if source can be modified like that. I'm doing it in the preprocessing pipeline for this source. sorry for the black boxes, just trying to keep some private stuff private as much as I can.

Jon Rust

Did you save, commit & deploy?
EDIT: Also that screen cap has the IN tab selected. Check the out?

Lyle Cowart

Yep, sure did.

Jon Rust

IN tab vs OUT tab?

Lyle Cowart

Hi Jon. Thanks for all the help. I checked "OUT" as well and it looks the same. It looks this way when I do live captures as well, when I do "before routes". The issue here is that later down the line, the pack for Sentinel takes the source field, and matches it to "Computer" for MS Sentinel CSL injection. Being the log filename is no good for this since it won't match with an entity.

Jon Rust

Well that's curious. We're missing something very obvious here. Reach out to me if you'd like to hop on a call to sort it out. You can find me in Cribl Slack as well. I have the next hour free, or tomorrow morning.

Lyle Cowart

Hi Jon,

So I figured out the issue was related to the eval sourcetype!="cisco:asa". Since the source wasn't from (I'm assuming Splunk) this field was never added. I adjusted it to /\s%ASA-/.test(_raw)==false so it would drop the non ASA events.