All Apps and Add-ons

Bugs in this TA version 1.0.1

Path Finder

Hello,

This TA is not working properly due to errors in default/props.conf in all lines with :
EVAL-categories = split(category,",")

As the split is going to a new field categories and not again category, the lookup is never applied to enrich logs with : blockGroup description
LOOKUP-opendns_dnslogs_category = opendns_dnslogs_categories name AS category OUTPUT blockGroup,description

Best regards

1 Solution

Engager

FloSwiip,

I just pushed out a new update to the add-on that covers both of the issues you mentioned:
1. There is a new calculated field that removes the trailing dot on the query.
2. The split categories go into "category" and not "categories"
3. The category split happens on proxy logs,
4. I also added support for Version 3 and 4 based on the updated OpenDNS logging format (this adds a few new fields).

You should be all set here, please let us know if you find any other issues or have additional suggestions.

Thanks,
Nick Bertram
Hurricane Labs

View solution in original post

0 Karma

Engager

FloSwiip,

I just pushed out a new update to the add-on that covers both of the issues you mentioned:
1. There is a new calculated field that removes the trailing dot on the query.
2. The split categories go into "category" and not "categories"
3. The category split happens on proxy logs,
4. I also added support for Version 3 and 4 based on the updated OpenDNS logging format (this adds a few new fields).

You should be all set here, please let us know if you find any other issues or have additional suggestions.

Thanks,
Nick Bertram
Hurricane Labs

View solution in original post

0 Karma

Path Finder

Nice, thank you guys for the prompt update.

Ahah yes, I just discovered today that possibility to move from our current schema in version 2 to 3, and 4
by speaking with the responsible of the cisco umbrella in my company. >_<

Now, if you have more work to do on this TA, I would suggest that regarding the tags added to the logs, you should try to match more of the :
https://docs.splunk.com/Documentation/CIM/4.12.0/User/NetworkResolutionDNS

As CIM compliancy is about 9% actually if you evaluate it with :
https://github.com/hire-vladimir/SA-cim_vladiator and https://splunkbase.splunk.com/app/1621/

Most of the time improvement can be done by just filling some of those fields with static info like
[opendns:dnslogs]
EVAL-dest_port = "53"
EVAL-message_type = "Response"
EVAL-transport = "udp"
EVAL-vendor_product = "Cisco Umbrella"

Note that the dest field missing in the raw log is also a big issue when doing searches
So as a personal choice, that can't be part for sure of the published TA, I use :
EVAL-dest = "208.67.222.222"
To set and easy to recognize opendns ip

This allow me to not loose cisco umbrella results from the datamodel queries when dest is used in the by condition

Thank you again, happy to have improved things

0 Karma

Path Finder

You're absolutely right. I'll open an internal dev request and get that fixed ASAP.

Thanks for the report.

0 Karma

Path Finder

You are welcome

An additional question, by chance do you know why the final dot at the end of the query field is kept ?
I know it is from the raw log but now I am removing with a sed at index time, it because it pollute the threatlist matching after.

Thank you

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!