All Apps and Add-ons

Props.conf & transforms.conf not working

element1314
New Member

I have successfully ingest the DLP log via UDP-514.
But it cannot pursing correctly. I guess it is configuration problem on props.conf and transforms.conf.
I am using Forcepoint DLP 8.6.0.

0 Karma

Kawtar
Path Finder

Hello
You should copy props.conf and transforms.conf under default and put it in local then restar the instance,
otherwise you can put this here .

try this.

0 Karma

apcsplunk
Explorer

Can you please elaborate more. Like where is the app/add-on pushed, reference link to the add-on, sample data ingested etc..
This will help in troubleshooting better.
Also please note that even though the the udp reception is at a heavy forwarder, it is recommended to push the add-on/app in heavy forwarder as well as search heads
cheers -

element1314
New Member

The add-on is installed on search head, indexers and heavy forwarder.
I have set up the data input at a heavy forwarder servers.
The props.conf and transforms.conf is copied from "default" folder to "local" folder.
I find that below 2 statement at props.conf is working but the other do not.
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")

props.conf
[websense:dlp:system:cef]
KV_MODE = none
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
REPORT-2_extract_field = websense_dlp_system_cef_extract_field_0, websense_dlp_system_cef_extract_field_1
FIELDALIAS-3_alias_fields = cef_event_severity_id as vendor_severity
FIELDALIAS-4_alias_fields = act as vendor_action
FIELDALIAS-body = cef_extension as body
FIELDALIAS-id = cef_event_signature_id as id
FIELDALIAS-severity_id = cef_event_severity_id as severity_id
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")
EVAL-subject = "Websense DLP alert. Policy:" + cat + " SourceServiceName:" + sourceServiceName
LOOKUP-5_look_up_extract = websense_dlp_actions_lookup vendor_action OUTPUT action
LOOKUP-6_look_up_extract = websense_dlp_severity_lookup vendor_severity OUTPUT severity

Transform.conf
[websense_dlp_system_cef_extract_field_0]
REGEX = (.+)\s+CEF:(\d+)(?

0 Karma

element1314
New Member
REGEX = (.+)\s+CEF:(\d+)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+)$
FORMAT = syslog_header::$1 cef_version::$2 cef_dvc_vendor::$3 cef_dvc_product::$4 cef_dvc_version::$5 cef_event_signature_id::$6 cef_product_log_category::$7 cef_event_severity_id::$8 cef_extension::$9

[websense_dlp_system_cef_extract_field_1]
REGEX = ((?:[^\s\|]|(?<=\\)\|)+)=((?:\\\=|[^=])*)(?:\s+|$)
SOURCE_KEY = cef_extension
FORMAT = $1::$2

[websense_dlp_actions_lookup]
filename = websense_dlp_actions.csv

[websense_dlp_severity_lookup]
filename = websense_dlp_severity.csv
default_match = unknown
min_matches = 1
0 Karma

ipoluda
Explorer

I was also confused why the Add-on is not working, but the reason lies in just one space))
Namely, in the REGEX line.
If you look at the incoming events, you can notice that there is a space between "CEF:" and its value ("0" in my case). That space is not counted in the default regular expression:

2021-08-16T12:11:47.000 fp-dlp.local CEF: 0|Forcepoint|Force....


So just replace the default REGEX line with this one: 

(.+)\s+CEF:\s*(\d+)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+)$

P.S. \s* means zero or unlimited spaces, so even if there is no space in some cases, the regex will still work correctly

Tags (1)
0 Karma

element1314
New Member

Any comment?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...