topic Kaspersky Syslog Data Field Extraction in Getting Data In

Kaspersky Syslog Data Field Extraction

MoienABO — Fri, 28 Jul 2023 17:46:16 GMT

Recently, I changed Kaspersky Security Center log format to syslog (because of limitation of CEF) and We're receiving these logs in SPLUNK. but I found there is no suitable TA for such logs. so I decided to create transforms.conf and props.conf files to parse this log format. Here is my sample log:

Jul 26 16:44:56 172.31.0.254 1 2023-07-25T03:43:00.000Z comuter1 KES|11.0.0.0 - 000000g1 [event@23448 et="000000g1" tdn="Protection" etdn="Protection components are disabled" hdn="COMPUTER1" hip="172.24.7.139" gn="GPA" kscfqdn="something.root.holdings"] Event type: Protection components are disabled\r\nName: test.exe\r\nApplication path: C:\Program Files (x86)\Kaspersky Lab\KES.12.0.0\r\nProcess ID: 18446744073709551615\r\nUser: COMPUTER1\Administrator (Active user)\r\nComponent: Protection

and here is my props.conf and transforms.conf

props.conf:

[kasperskylab:securitycenter:syslog] SHOULD_LINEMERGE = false KV_MODE = none REPORT-outer_fields = get_outer_fields, get_inner_fields

transforms.conf:

[get_outer_fields] REGEX = ^(?<timestamp>[a-zA-Z]{3}\s+\d{1,2}\s+\d{1,2}:\d{1,2}:\d{1,2})\s+(?<device>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\S+\s+\d+-\d+-\d+\w+:\d+:\d+\.\d+\w+\s+(?<src>\S+)\s+(?<app>[^\s]*)\s+-\s+\S+\s+.*?hip="(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s+gn="(?<gn>[^"]+)"\s+kscfqdn="(?<fqdn>[^"]+)"]\s+(?<key_value_list>.*) [get_inner_fields] SOURCE_KEY = key_value_list DELIMS = "\\r\\n", ":"

but it seems only my first part (get_outer_fields) only works and nothing happens in second part (get_innter_fields). i also change my configs to replace "\r\n" with ";". here is my changes:

props.conf:

[kasperskylab:securitycenter:syslog] SHOULD_LINEMERGE = false KV_MODE = none SEDCMD-event_cleaner = s/\\r\\n/;/g REPORT-outer_fields = get_outer_fields, get_inner_fields

transforms.conf:

but the result not changed. any idea??

Any help is greatly appreciated.

Re: Kaspersky Syslog Data Field Extraction

gcusello — Sat, 29 Jul 2023 05:14:43 GMT

Hi @MoienABO,

at first: why do you want to use the second transformation, isn't the first sufficient to extract all fields?

Anyway, did you tried to put the transformations in two different rows?

[kasperskylab:securitycenter:syslog] SHOULD_LINEMERGE = false KV_MODE = none REPORT-outer_fields1 = get_outer_fields REPORT-outer_fields2 = get_inner_fields

At least, when you create a custom add on, use the Add-On Builder (https://splunkbase.splunk.com/app/2962) to normalize your data having a CIM compliant add-on.

In few words, you have also to:

create some eventtypes and tags,
create alias for your fields,
create calculated fields to normalize some fields values.

Ciao.

Giuseppe

Re: Kaspersky Syslog Data Field Extraction

MoienABO — Sat, 29 Jul 2023 09:02:05 GMT

hi @gcusello

Thanks for your answer. I use second transformation because second part of log contains useful fields such as Application, user and .... I need to extract them

I also know about defining knowledge Objects related to this add on and will define them later. but now, field extraction is my concern and it not worked event with your configurations too. maybe you' re right and i should use Add-On Builder App.