Being a newbie with splunk, I don't get much further than installing splunk and having a listener set up to which the SSG sends it syslog data.
I need to make traffic reports out of the traffic logs from certain firewall policies.
The output should be a table with following colums:
Source IP | total recv'd data | total sent data | total of recv'd+sent
192.168.1.x | 400 MB | 100 MB | 500 MB
192.168.1.y | 150 MB | 1 GB | 1,15 GB
...
The input is, as said, ScreenOS syslog data in the form of:
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:51" duration=5 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=134 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=4090 dst_port=80 src-xlated ip=81.83.5.18 port=3303 dst-xlated ip=193.203.32.20 port=80 session_id=15683 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:52" duration=4 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=198 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=3789 dst_port=80 src-xlated ip=81.83.5.18 port=4243 dst-xlated ip=193.203.32.20 port=80 session_id=15984 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:25" duration=31 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=11610 rcvd=318968 src=192.168.163.26 dst=193.203.32.39 src_port=3293 dst_port=80 src-xlated ip=81.83.5.18 port=2988 dst-xlated ip=193.203.32.39 port=80 session_id=15342 reason=Close - TCP RST
gw0-NLA
Does somebody has experience with this and could give me some hints?
thanks!
not work, error occur as below:
Error in 'stats' command: Repeated group-by field 'src'.
I dont think you can have table with MB and GB as per your example...But you can have another column for GB,here is an example :
sourcetype=<sourcetype assigned to your netscreen syslog data> | stats sum(sent) AS TotalSent by src, sum(rcvd) AS TotalRcvd by src | eval TotalSentMB=round(TotalSent/1024/1024,2) | eval TotalRcvdMB=round(TotalRcvd/1024/1024,2) | eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2) | eval TotalGB=round((TotalSent+TotalRcvd)/1024/1024/1024,2) | table src TotalSentMB TotalRcvdMB TotalMB TotalGB