Line breaking help

khaizercruz — Wed, 06 Oct 2021 03:30:11 GMT

Hello,

Can anyone please help me with the line breaking. Multiple Security events are merged into a single event, putting a highlight on the the timestamp where the event should break.

Event below should be split into 2.

sourcetype = claroty:cef

2021-10-02 14:37:17 User.Info 10.10.32.132 Oct 02 2021 04:37:17 server026 CEF:0|Claroty|CTD|4.3.1|Alert/Host Scan|Host Scan|10|src=10.206.164.120 smac=2c:00:00:0f:9a:ad:73 dmac=28:0000:61:f7:7e:c3 externalId=24459 cat=Security/Host Scan start=Oct 02 2021 12:43:36 msg=ICMP Host scan: Asset 10.5.164.10 sent packets to different IP destinations deviceExternalId=INDO - CIBITUNG cs1Label=SourceAssetType cs1=Endpoint cs3Label=SourceZone cs3=Endpoint: Other cccs4Label=DestZone cs4=Endpoint: MQTT cs6Label=CTDlink cs6=
2021-10-02 14:37:17 User.Info 10.10.32.132 Oct 02 2021 04:37:17 server026 CEF:0|Claroty|CTD|4.3.1|Alert/Host Scan|Host Scan|10|src=10.206.163.251 smac=28:00:00:f7:7e:cb shost=DESKTOP-0C11AFV dmac=00:1b:1b:2c:12:1a externalId=24460 cat=Security/Host Scan start=Oct 02 2021 12:43:42 msg=ICMP Host scan: Asset 10.51.163.251 sent packets to different IP destinations deviceExternalId=INDO - CIBITUNG cs1Label=SourceAssetType cs1=Endpoint cs3Label=SourceZone cs3=Endpoint: Other cccs4Label=DestZone cs4=PLC: S7 cs6Label=CTDlink cs6=

Current props.conf in search head

[claroty:cef]
LINE_BREAKER = ([\r\n]*)[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])(2[0-3]|[01][0-9]):[0-5][0-9]
BREAK_ONLY_BEFORE = ([\r\n]*)[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])(2[0-3]|[01][0-9]):[0-5][0-9]
REPORT-cs1 = claroty_cef_1
REPORT-cs2 = claroty_cef_2
REPORT-cs3 = claroty_cef_3
REPORT-cs4 = claroty_cef_4
REPORT-cs5 = claroty_cef_5
REPORT-cs6 = claroty_cef_6
REPORT-cs7 = claroty_cef_7
REPORT-cs8 = claroty_cef_8
REPORT-cs9 = claroty_cef_9
EXTRACT-msg = msg=(?<msg>.*?).x00$
EXTRACT-rt = rt=(?<rt>\w\w\w\s\d\d\s\d\d\d\d\s\d\d:\d\d:\d\d)
EXTRACT-alert = Alert\|(?<Alert>.+?)\|
EXTRACT-event = Event\|(?<Event>.+?)\|
FIELDALIAS-AssignedTo = ResolvedAs AS AssignedTo

Additional question
once we got the correct settings to props.conf and running search again will the data be the same?
or it will only work for the new events that will be ingested to splunk?

Re: Line breaking help

manjunathmeti — Wed, 06 Oct 2021 04:42:17 GMT

hi @khaizercruz,

Line-breaking configurations should be done before indexing the logs. So, you need to putLINE_BREAKER in forwarder(s).

topic Re: Line breaking help in Splunk Search

Line breaking help

Re: Line breaking help