https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87718#M22426 <P>Thanks. Works perfectly so far.</P> Thu, 08 Mar 2012 16:21:53 GMT mrjester 2012-03-08T16:21:53Z https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87716#M22424 <P>I am consuming logs from my Vyatta firewall and I am having trouble getting the field extractor to reliably pull the rule name from the events. It looks like I need to manually build the regex query, but unfortunately I lack that skill. </P> <P>The rule name is always the 7th field as identified by spaces.</P> <P><CODE>[&lt;ruleset&gt;-&lt;ruleNumber&gt;-&lt;action&gt;]</CODE><BR /><BR /> * Ruleset could be trust-service-6, trust-untrust6, dmz-local etc in my instance. Generically, it could be any text.<BR /> * RuleNumber could be 1-9999 or default.<BR /> * Action could be A, R or D</P> <P>These are examples of the form the rule names take in my environment.</P> <P>[dmz-local-6-10-A]<BR /><BR /> [dmz-local-100-A]<BR /><BR /> [trust-untrust-2-D]<BR /><BR /> [untrust-trust-3-D]<BR /><BR /> [work-untrust-20-A]<BR /><BR /> [trust-untrust-default-D]<BR /><BR /> [trust-service-6-default-D]<BR /><BR /> [dmz-local-6-50-R]<BR /><BR /> [dmz-mgmt-100-R] </P> <P>The following are raw sources.</P> <UL> <LI>Mar 8 09:25:21 carbon kernel: [8195160.290370] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=59399 DPT=53 LEN=49 </LI> <LI>Mar 8 09:25:21 carbon kernel: [8195160.293139] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46094 PROTO=UDP SPT=21394 DPT=53 LEN=97 </LI> <LI>Mar 8 09:25:21 carbon kernel: [8195160.386377] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=63647 DPT=53 LEN=49 </LI> <LI>Mar 8 09:25:21 carbon kernel: [8195160.388007] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46095 PROTO=UDP SPT=28420 DPT=53 LEN=97 </LI> <LI>Mar 8 09:25:21 carbon kernel: [8195160.472564] [trust-untrust-20-A] IN=eth0.100 OUT=eth1.999 MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:08:00 SRC=10.0.1.10 DST=204.236.229.254 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30076 DF PROTO=TCP SPT=51287 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 </LI> <LI>Mar 8 09:25:23 carbon kernel: [8195162.690082] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31426 DF PROTO=TCP SPT=60668 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 </LI> <LI>Mar 8 09:25:23 carbon kernel: [8195162.693543] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31429 DF PROTO=TCP SPT=60669 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 </LI> <LI>Mar 8 09:25:24 carbon kernel: [8195163.148490] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31455 DF PROTO=TCP SPT=60670 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 </LI> <LI>Mar 8 09:25:26 carbon kernel: [8195165.241861] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31483 DF PROTO=TCP SPT=60671 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 </LI> <LI>Mar 8 09:25:27 carbon kernel: [8195166.278045] [untrust-local-6-10-A] IN=eth1.999 OUT= MAC=00:30:48:9f:33:b3:00:0c:29:af:6d:87:86:dd SRC=2001:0470:1f11:03f2:0000:0000:0000:0203 DST=2001:0470:1f11:03f2:0000:0000:0000:0001 LEN=82 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=33103 DPT=53 LEN=42</LI> </UL> Thu, 08 Mar 2012 14:43:01 GMT https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87716#M22424 mrjester 2012-03-08T14:43:01Z https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87717#M22425 <P>Assuming that the sourcetype of your data is vyatta, put this in $SPLUNK_HOME/etc/system/local/props.conf</P> <PRE><CODE>[vyatta] EXTRACT-e1=\[.*?]\s\[(?&lt;ruleName&gt;.+?)] </CODE></PRE> <P>This should extract the field and call it ruleName.</P> Thu, 08 Mar 2012 15:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87717#M22425 lguinn2 2012-03-08T15:35:28Z https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87718#M22426 <P>Thanks. Works perfectly so far.</P> Thu, 08 Mar 2012 16:21:53 GMT https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87718#M22426 mrjester 2012-03-08T16:21:53Z https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87719#M22427 <P>Try:</P> <P>\w{3}\s+\d+\s+\d+:\d+:\d+\s+\w+\s+\w+:\s+[\d+.\d+]\s+[(?<RULESET>\w+-\w+(?:-\d+)?)-(?<RULENUMBER>[\ddefault]+)-(?<ACTION>\w+)]\s+</ACTION></RULENUMBER></RULESET></P> Tue, 08 Apr 2014 06:59:21 GMT https://community.splunk.com/t5/Splunk-Search/Vyatta-Rule-Field-Extraction/m-p/87719#M22427 vipiao 2014-04-08T06:59:21Z