topic Filter a syslog to only a couple fields, make into a report in Getting Data In

Filter a syslog to only a couple fields, make into a report

ravenind — Thu, 12 Mar 2015 05:08:29 GMT

Pardon my brand-newness to Splunk, please. I just installed it. 😉

We have a Sourcefire unit that we would like to pull Connection Events out of to use it for web filter reporting. I am pushing Events in to Splunk and each Syslog event has the data(fields) that I need - User:, URL:, date_hour.

At the most basic level, I simply need to be able to create a report to search for say, "User123" from the User: field and only show User/URL/Date in a very readable report. What is the easiest way to do this? Keep in mind the syslog data is already coming in so I just need to filter and make it readable for these few fields.

If I can get this basic need handled, management will allow me to use Splunk as our web filtering platform and then I can have a hayday playing with all the other fun features.

Please help, thanks!

Re: Filter a syslog to only a couple fields, make into a report

satishsdange — Thu, 12 Mar 2015 05:17:59 GMT

Did you get a chance to look at this https://apps.splunk.com/app/1808/. This add-on can certainly help you to extract data & create cool reports.
You amy also look at Cisco Security Suite https://apps.splunk.com/app/525/.

Re: Filter a syslog to only a couple fields, make into a report

ravenind — Thu, 12 Mar 2015 13:40:33 GMT

I am looking in to it as we speak, but it appears to require a bit more time and involvement to set up. I am sure long term this is probably the way to go, but I already have the Syslog pulling in data and would like to be able to create a simple report off of what I have already. As mentioned, if I can prove that this simple report is possible, management will allow me to use Splunk at which time I can take a more full-featured approach.

Thank you.

Re: Filter a syslog to only a couple fields, make into a report

ravenind — Fri, 13 Mar 2015 14:40:48 GMT

It would appear that the eStreamer does not have an option to output Connection Events, only other types of events.

I am really looking for a most simple type of report, are there any other suggestions?

Re: Filter a syslog to only a couple fields, make into a report

ravenind — Tue, 17 Mar 2015 02:56:10 GMT

Still struggling with what seems it should be very simple. Does anyone else have any recommendations? Thanks!

Re: Filter a syslog to only a couple fields, make into a report

satishsdange — Tue, 17 Mar 2015 08:59:17 GMT

Could you please share some sample data?

Re: Filter a syslog to only a couple fields, make into a report

ravenind — Tue, 17 Mar 2015 18:50:01 GMT

Sure! Here are 2 example syslog entries. Note the date/time at the beginning, the URL:, and the User: sections. I did choose 'Extract Fields' and it appeared to be able to single out the 3 fields that I was most concerned with. I just don't know how to make a simple report from those 3 fields. I appreciate your responses, satishsdange!

2015-03-17 00:00:15 Syslog.Alert 10.24.100.2 Mar 16 13:50:46 SET-ASASFR SFIMS: [Primary Detection Engine (3fb65e80-3ea7-11e4-ae31-d6323923abe1)][Default Access Control] Connection Type: End, User: mav2, Client: SSL client, Application Protocol: HTTPS, Web App: MS Office 365, Access Control Rule Name: LogWebTraffic, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Internet Portals, URL Reputation: High risk, URL: https://nexus.officeapps.live.com, Interface Ingress: Inside, Interface Egress: Outside, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 8, Responder Packets: 9, Initiator Bytes: 1434, Responder Bytes: 6780, Context: unknown {TCP} 10.24.100.78:55118 -> 167.73.254.109:443

2015-03-17 00:01:25 Syslog.Alert 10.24.100.2 Mar 16 13:50:47 SET-ASASFR SFIMS: [Primary Detection Engine (3fb65e80-3ea7-11e4-ae31-d6323923abe1)][Default Access Control] Connection Type: End, User: rad2, Client: Microsoft CryptoAPI, Application Protocol: HTTP, Web App: Microsoft, Access Control Rule Name: LogWebTraffic, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Business and Economy, URL Reputation: High risk, URL: http://crl.microsoft.com/pki/crl/products/tspca.crl, Interface Ingress: Inside, Interface Egress: Outside, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: 6.1, Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 17, Responder Packets: 9, Initiator Bytes: 2799, Responder Bytes: 2083, Context: unknown {TCP} 10.24.100.91:62157 -> 74.73.232.50:80