All Apps and Add-ons

Parsing CEF logs

wvalente
Explorer

Dear,

I'm getting CEF type logs, but Splunk is not parsing correctly.

I installed the App Splunk App for CEF, but it does not work. I also installed the CEF Extraction Add-on for Splunk app but it is not working either.

I tried parsing in the indexer by props.conf and transforms.conf, but it did not work:

props.conf
[host :: XXXXX]
EXTRACT-cef-message = CEF

transforms.conf
[CEF]
REGEX = \ d \ | (? [^ \ |] +) \ | (< [^ \ |] +) \ | (<< vendor_severity> [^ \ |] + (\ \ Ssquc \ srequestCookies \ = (\ S +) \, \ siPlanetDirectoryPro \, \ sJSESSIONID = (\ S +) \ srequest \ \ scs \ w \ s \ w \ s \ w \ s \ w \ s \ w \ w \ w \ w \ w \ w \ w \ w \ s] +) \ scs \ w + Label \ +) \ scs \ w + \ = ([\ w \ s] +) \ scs \ w + \ = ([\ w \ s] +) \ s
DEST_KEY = MetaData: Host

Splunk is doing the parse as follows:

aact
aamlbcookie
acat

cn1

acn1Label

cn5

acn5Label
acs1
acs1Label
acs2
acs2Label
acs3
acs3Label
acs4
acs4Label
acs5
acs5Label
acs6
acs6Label

date_hour

date_mday

date_minute

adate_month

date_second

adate_wday

date_year

date_zone

end

aeventtype
ahost
aindex
aiPlanetDirectoryPro
aJSESSIONID

linecount

amsg
aprimefaces_download
apunct
areason
arequest
arequestCookies
arequestMethod
asource
asourcetype
asplunk_server
asplunk_server_group
asrc
asuser

timeendpos

timestartpos

Can someone help me?

0 Karma

IgorB
Path Finder

Hi @wvalente,

Installing "CEF Extraction Add-on for Splunk" app won't help if you are not using the field extractions it provides. Please see usage examples in the app's README.

--Igor

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...