I got asm logs coming from F5 to the kiwi syslog server and forwarding it to splunk server. Below is the asm message sample i get from the kiwi.
Nov 19 21:08:40 x.xx.xx.xx Original Address=xx.x.x.xx Nov 19 10:08:40 ASM:"2014-11-19 10:08:39","x.x.xx.xxx","Response logging disabled","Error","Session Hijacking","","<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>54</viol_index><viol_name>VIOL_COOKIE_MODIFIED</viol_name><referrer_obj>1229782938247303441</referrer_obj><cookie><cookie_name>SlNFU1NJT05JRA==</cookie_name><cookie_value>MjgzNkU3NEMzRUVBMTA5RDRGRTlBNTdBMTJBNjRGMTk=</cookie_value><is_new_cookie>1</is_new_cookie><staging>0</staging></cookie></violation></request-violations></BAD_MSG>"
Nov 19 23:16:31 xx.x.x.xx Original Address=x.x.x.xx Nov 19 12:16:30 ASM:"2014-11-19 12:16:30","xx.xxx.xx.xx","Response logging disabled","Error","Forceful Browsing","","<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>38</viol_index><viol_name>VIOL_URL</viol_name></violation></request-violations></BAD_MSG>"
But in F5 security app, the fields are not extracting. I havent set a profile in F5 since its send to kiwi. How do i extract the fields? I'm using splunk 6.2 and f5 latest versions.
try editing the tokenizer so it looks like this: ([^=,]+)="([^\.]+)|([^\"]+)"
It's in transforms.conf
for some reason it seems to have extra escapes (someone may have cut and pasted a regex tested on the search bar and not realized) There are also too many parens...
when I opened it in sublime text some of the characters showed that they seemed to be in the wrong character set. Text Wrangler treated it correctly... (notepad++ would be the choice on windows)
You can use something like regex101.com to test out the tokenizer with your sample data.
that will show you each of the results for the capturing groups.
That will pull the fields apart properly (based on your sample) including the kiwi prefix template...