Re: Props.conf & transforms.conf not working

element1314 · ‎08-19-2019

I have successfully ingest the DLP log via UDP-514.
But it cannot pursing correctly. I guess it is configuration problem on props.conf and transforms.conf.
I am using Forcepoint DLP 8.6.0.

Kawtar · ‎08-19-2019

Hello
You should copy props.conf and transforms.conf under default and put it in local then restar the instance,
otherwise you can put this here .

try this.

apcsplunk · ‎08-19-2019

Can you please elaborate more. Like where is the app/add-on pushed, reference link to the add-on, sample data ingested etc..
This will help in troubleshooting better.
Also please note that even though the the udp reception is at a heavy forwarder, it is recommended to push the add-on/app in heavy forwarder as well as search heads
cheers -

element1314 · ‎08-19-2019

The add-on is installed on search head, indexers and heavy forwarder.
I have set up the data input at a heavy forwarder servers.
The props.conf and transforms.conf is copied from "default" folder to "local" folder.
I find that below 2 statement at props.conf is working but the other do not.
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")

props.conf
[websense:dlp:system:cef]
KV_MODE = none
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
REPORT-2_extract_field = websense_dlp_system_cef_extract_field_0, websense_dlp_system_cef_extract_field_1
FIELDALIAS-3_alias_fields = cef_event_severity_id as vendor_severity
FIELDALIAS-4_alias_fields = act as vendor_action
FIELDALIAS-body = cef_extension as body
FIELDALIAS-id = cef_event_signature_id as id
FIELDALIAS-severity_id = cef_event_severity_id as severity_id
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")
EVAL-subject = "Websense DLP alert. Policy:" + cat + " SourceServiceName:" + sourceServiceName
LOOKUP-5_look_up_extract = websense_dlp_actions_lookup vendor_action OUTPUT action
LOOKUP-6_look_up_extract = websense_dlp_severity_lookup vendor_severity OUTPUT severity

Transform.conf
[websense_dlp_system_cef_extract_field_0]
REGEX = (.+)\s+CEF:(\d+)(?

element1314 · ‎08-19-2019

REGEX = (.+)\s+CEF:(\d+)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+)$
FORMAT = syslog_header::$1 cef_version::$2 cef_dvc_vendor::$3 cef_dvc_product::$4 cef_dvc_version::$5 cef_event_signature_id::$6 cef_product_log_category::$7 cef_event_severity_id::$8 cef_extension::$9

[websense_dlp_system_cef_extract_field_1]
REGEX = ((?:[^\s\|]|(?<=\\)\|)+)=((?:\\\=|[^=])*)(?:\s+|$)
SOURCE_KEY = cef_extension
FORMAT = $1::$2

[websense_dlp_actions_lookup]
filename = websense_dlp_actions.csv

[websense_dlp_severity_lookup]
filename = websense_dlp_severity.csv
default_match = unknown
min_matches = 1

ipoluda · ‎08-16-2021

I was also confused why the Add-on is not working, but the reason lies in just one space))
Namely, in the REGEX line.
If you look at the incoming events, you can notice that there is a space between "CEF:" and its value ("0" in my case). That space is not counted in the default regular expression:

2021-08-16T12:11:47.000 fp-dlp.local CEF: 0|Forcepoint|Force....

So just replace the default REGEX line with this one:

(.+)\s+CEF:\s*(\d+)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+)$

P.S. \s* means zero or unlimited spaces, so even if there is no space in some cases, the regex will still work correctly

element1314 · ‎08-28-2019

Any comment?

Props.conf & transforms.conf not working

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk