topic Re: How could i filter network firewall data using a filed value ? in Getting Data In

How could i filter network firewall data using a filed value ?

Afef — Fri, 18 Dec 2015 10:44:59 GMT

Hello,

I have a firewall that sends a lot of data, i would like to filter events using a specific field value (exemple whitelist field="value")

my stanza is like this :

[udp://516]
connection_host = ip
sourcetype = stonegate
whitelist = deviceExternalId="value"

This didn't work and i still get all of data.

Any help please ?

thanks

Re: How could i filter network firewall data using a filed value ?

javiergn — Fri, 18 Dec 2015 10:53:43 GMT

If you want to filter data you have to play with the props and transforms files.
Take a look at this:

Keep in mind this is not going to work on Universal Forwarders so make sure you are running it on a full enterprise installation.

Thanks,
J

Re: How could i filter network firewall data using a filed value ?

jmallorquin — Fri, 18 Dec 2015 10:53:46 GMT

Hi Afef

The correct way is

In props.conf

[stonegate]
TRANSFORMS-erase = eventerase

in transforms.conf

[eventerase]
 REGEX=  deviceExternalId\=\"value\" <<--- the regular expresion that match the events that you want to filter
 DEST_KEY=queue
 FORMAT=nullQueue

Hope help you

Re: How could i filter network firewall data using a filed value ?

Afef — Fri, 18 Dec 2015 12:58:10 GMT

This did not work for me !

i have events like this :

I did the config on props.conf & transforms.conf but i still have data in

Re: How could i filter network firewall data using a filed value ?

jmallorquin — Fri, 18 Dec 2015 13:03:14 GMT

Have you restart splunk after configure the props.conf and transforms.conf?

Can you add the content of the config files just to check the configuration?

And also, where the did you configure these files? indexer i hope

Re: How could i filter network firewall data using a filed value ?

Afef — Fri, 18 Dec 2015 13:08:47 GMT

yes i restarted the splunk server (yes the indexer , i have one splunk isntance)

the config :

In props.conf

 [stonegate]
 TRANSFORMS-erase = eventerase

in transforms.conf

 [eventerase]
  REGEX=  deviceExternalId\=\"ExempleValue-FW\"
  DEST_KEY=queue
  FORMAT=nullQueue

Re: How could i filter network firewall data using a filed value ?

jmallorquin — Fri, 18 Dec 2015 13:12:09 GMT

Hi,

I think the error is in the regex, please use this one

REGEX=  deviceExternalId\=ExempleValue\-FW

Re: How could i filter network firewall data using a filed value ?

Afef — Fri, 18 Dec 2015 13:36:05 GMT

Thanks for your answer it works 🙂

If i would like to put many values :

REGEX= deviceExternalId=(ExempleValue-FW|ExempleValue2-FW) ?

Re: How could i filter network firewall data using a filed value ?

jmallorquin — Fri, 18 Dec 2015 13:40:13 GMT

Yes,

But remember to escape the -

🙂

Re: How could i filter network firewall data using a filed value ?

Afef — Fri, 18 Dec 2015 13:43:16 GMT

yes yes

REGEX= deviceExternalId=(ExempleValue-FW|ExempleValue2-FW)

Thank you 🙂

Re: How could i filter network firewall data using a filed value ?

jmallorquin — Fri, 18 Dec 2015 13:47:16 GMT

And also remember to scape the second =

REGEX= deviceExternalId\=(ExempleValue\-FW|ExempleValue2\-FW)

De nada

Re: How could i filter network firewall data using a filed value ?

woodcock — Fri, 18 Dec 2015 17:49:22 GMT

It won't work unless you remove the comment string ( <<--- the regular expresion that match the events that you want to filter ). That is probably all that is wrong; otherwise this solution should work.