All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help extracting fields (IPs and Ports) from a specific syslog message

healthtrans
Explorer
‎07-21-2011 08:29 AM

Can anyone assist with extracting the IP addresses and ports from this syslog message? I tried the 'extract fields' tool but was not successful.

Jul 21 14:09:23 192.168.1.1 HOSTNAME: NetScreen device_id=HOSTNAME [Root]system-alert-00016: Port scan! From 1.1.1.1:80 to 2.2.2.2:7136, proto TCP (zone Untrust int ethernet3). Occurred 1 times. (2011-07-21 09:09:17)

Thanks.

0 Karma
Reply

fk319
Builder
‎07-21-2011 12:47 PM

use props.conf to call transforms.conf


you can then build your regex

# props.conf
[source::fromSomewhere]
TRANSFORMS-getIP = from-to-ips

# transforms.conf
[from-to-ips]
    # From 1.1.1.1:80 to 2.2.2.2:7136, proto 
    REGEX = From ([0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\:[0-9]{1-5}) to ([0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\:[0-9]{1-5}), proto
    FORMAT = FromIP::$1 ToIP::$2

depending on how strict you want your ip:port matching to be, you can tighten your regex.

0 Karma
Reply

Drainy
Champion
‎07-21-2011 08:46 AM

You could build a custom transform.
http://www.splunk.com/base/Documentation/4.2.2/Data/Advancedsourcetypeoverrides

I've been playing around with this alot lately.
For example...

16:31:55.879529 00:16:0a:0b:92:fb >
ff:ff:ff:ff:ff:ff, ethertype IPv4
(0x0800), length 150:
192.168.3.2.42090 > 192.168.3.255.111: UDP, length 108

Is formatted with;

[tcpdump_basic] REGEX = ([^ ]+)([
])([^ ]+) ([>]) ([^,]+)([^ ]) ([^ ]+)
([^ ]+) ([^ ]+) ([^ ]+[^:]+) ([^ ]+)
([1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2})([.]+)([^>]+)
([>])
([1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2}.[1-2]{0,1}[0-9]{1,2})([.]+)([^:]+)([^
]+) ([^ ]+)([,]+)

FORMAT = timestamp::$1 src_mac::$3
dest_mac::$5 net_layer::$8
source_host::$12 source_port::$14
destin_host::$16 destin_port::$18
protocol::$20

The above goes in transforms.conf and then I just pop the following bit in props.conf

REPORT-tcpdump_basic = tcpdump_basic

You need to do a little bit more in props to define a sourcetype but you get the general idea. Don't let the regex scare you either. Copy and paste the regex and my example text to http://gskinner.com/RegExr/ and then hover over the highlighted output. It breaks down what each group relates to.
Now in my search window it correctly picks out all the right fields with the names I've defined.

Maybe slightly easier - there is a new version of the field extractor on apps that is apparently alot better than the baked in one if you don't already have it

EDIT: Link to the new field extractor

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...