topic Re: Veeam Logs Parsing in Knowledge Management

How to parse Veeam Logs?

sanglap666 — Wed, 01 Mar 2023 18:37:45 GMT

Hi Everyone,

I have sample logs for Virsec event. Below is a sample event.

Mar 1 06:24:05 xxx.xxx.xxx.xxx CEF:1|Virsec Security Platform|Virsec|x.x.x|41|Library Monitoring|10|EventId=VS-NA-030123-A02447| Server_Name=xxxxxx Incident_Level=ATTACK Incident_Category=FILE_INTEGRITY Incident_Type=Library Monitoring Incident_Timestamp=01 Mar 2023 02:24:05 PM GMT Process Checksum=097ce5761c89434367598b34fe32893b Action=LOG Parameters=cmdline Parent Process Name=cmd.exe Process Threat Verification Status =Safe Process Path=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Library Checksum=2cdb991bbbb60eb91c2df5f68e96e8fe Canary No=1220704979 Process Profile Name=xxxxxxxxxxxxxxxxxxxxxx Number of Libraries=1 Library Name=EdrDotNet.UnmanagedLib.dll Start Time=2023-03-01T14:23:58.661-05:00 Process Name=powershell.exe Process Profile Id=494037864 processObjectId=63f35f7a0ac3c9670c943e14 Username=xxxxxxx\xxxxxxx libraryObjectId=63f35f7a0ac3c9670c943e16 Library Path=C:\Windows\System32\EdrDotNet.UnmanagedLib.dll Event Type=New Library for Process Incident Type=Library Injection Process Pid=9632 Type=Library Monitoring Incident Description=Library Monitoring eventTime=2023-03-01T14:23:58.661-05:00 category=FILE_INTEGRITY threatCode=LibraryInjection

I have created a parsing for this using EXTRACT- in props.conf inside a seperate app.

[virsec:library]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Library Checksum
EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat
EXTRACT-LibraryName = Library Name=(?<LibraryName>.*) Start Time
EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id
EXTRACT-LibraryPath = Library Path=(?<LibraryPath>.*) Event Type
EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries
EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path

Not sure why the parsing is not working. Can somebody help.

Re: Veeam Logs Parsing

richgalloway — Wed, 01 Mar 2023 16:17:40 GMT

Where did you install this app? Did you restart the Splunk instance(s) afterwards? The app should be installed on the Search Head, Indexers, and Heavy Forwarders (if any).

Have you tested the regular expressions on https://regex101.com to verify the work as expected?

Does the inputs.conf stanza have the right sourcetype?

Re: Veeam Logs Parsing

sanglap666 — Thu, 02 Mar 2023 16:04:31 GMT

Hi @richgalloway ,

My splunk instance is a standalone free splunk enetreprise deployment.

I have created the virsec_app and placed all configurations inside local folder & also restarted the server.

I tried the regex all are working, as i tried field extraction from splunk gui and all worked fine, so tried through backend using props.conf but seems it doesn't works. Please find below my whole configuration.

inputs.conf
[monitor://c:\\<location for the log>]
index=virsec
sourcetype=virsec_log

props.conf
[virsec_log]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
TRANSFORMS-sourcetype=virsec_library,virsec_process

[virsec:process]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Canary No
EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat
EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id
EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries
EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path

transforms.conf
[virsec_library]
SOURCE_KEY = _raw
REGEX = (LibraryMonitoring|LibraryInjection|LibraryHijack)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::virsec:library

[virsec_process]
SOURCE_KEY = _raw
REGEX = (ProcessMonitoring|ProcessInjection)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::virsec:process

indexes.conf
[virsec]
homePath = $SPLUNK_DB/virsec/db
coldPath = $SPLUNK_DB/virsec/colddb
thawedPath = $SPLUNK_DB/virsec/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

Re: Veeam Logs Parsing

richgalloway — Thu, 02 Mar 2023 19:33:45 GMT

I think I understand the problem. The application of props.conf settings is a single-pass operation. If the sourcetype changes during that pass another pass for the new sourcetype is NOT performed.

The only way (that I know of) to process the new sourcetype is by using the CLONE_SOURCETYPE setting in transforms.conf. That will, however, keep the original copy of the data in its current form.

You should be able to extract fields using a single sourcetype. It looks like the only difference between the two sourcetypes is the words used to end some regexes. Consider combining them.

[virsec_log] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD=15 TIME_FORMAT=%b %d %H:%M:%S EXTRACT-processpath = Process Path=(?<ProcessPath>.*) (Library|Canary) EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path EXTRACT-LibraryName = Library Name=(?<LibraryName>.*) Start Time EXTRACT-LibraryPath = Library Path=(?<LibraryPath>.*) Event Type