All Apps and Add-ons

Props.conf & transforms.conf not working

element1314
New Member

I have successfully ingest the DLP log via UDP-514.
But it cannot pursing correctly. I guess it is configuration problem on props.conf and transforms.conf.
I am using Forcepoint DLP 8.6.0.

0 Karma

Kawtar
Path Finder

Hello
You should copy props.conf and transforms.conf under default and put it in local then restar the instance,
otherwise you can put this here .

try this.

0 Karma

apcsplunk
Explorer

Can you please elaborate more. Like where is the app/add-on pushed, reference link to the add-on, sample data ingested etc..
This will help in troubleshooting better.
Also please note that even though the the udp reception is at a heavy forwarder, it is recommended to push the add-on/app in heavy forwarder as well as search heads
cheers -

element1314
New Member

The add-on is installed on search head, indexers and heavy forwarder.
I have set up the data input at a heavy forwarder servers.
The props.conf and transforms.conf is copied from "default" folder to "local" folder.
I find that below 2 statement at props.conf is working but the other do not.
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")

props.conf
[websense:dlp:system:cef]
KV_MODE = none
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
REPORT-2_extract_field = websense_dlp_system_cef_extract_field_0, websense_dlp_system_cef_extract_field_1
FIELDALIAS-3_alias_fields = cef_event_severity_id as vendor_severity
FIELDALIAS-4_alias_fields = act as vendor_action
FIELDALIAS-body = cef_extension as body
FIELDALIAS-id = cef_event_signature_id as id
FIELDALIAS-severity_id = cef_event_severity_id as severity_id
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")
EVAL-subject = "Websense DLP alert. Policy:" + cat + " SourceServiceName:" + sourceServiceName
LOOKUP-5_look_up_extract = websense_dlp_actions_lookup vendor_action OUTPUT action
LOOKUP-6_look_up_extract = websense_dlp_severity_lookup vendor_severity OUTPUT severity

Transform.conf
[websense_dlp_system_cef_extract_field_0]
REGEX = (.+)\s+CEF:(\d+)(?

0 Karma

element1314
New Member
REGEX = (.+)\s+CEF:(\d+)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+)$
FORMAT = syslog_header::$1 cef_version::$2 cef_dvc_vendor::$3 cef_dvc_product::$4 cef_dvc_version::$5 cef_event_signature_id::$6 cef_product_log_category::$7 cef_event_severity_id::$8 cef_extension::$9

[websense_dlp_system_cef_extract_field_1]
REGEX = ((?:[^\s\|]|(?<=\\)\|)+)=((?:\\\=|[^=])*)(?:\s+|$)
SOURCE_KEY = cef_extension
FORMAT = $1::$2

[websense_dlp_actions_lookup]
filename = websense_dlp_actions.csv

[websense_dlp_severity_lookup]
filename = websense_dlp_severity.csv
default_match = unknown
min_matches = 1
0 Karma

ipoluda
Explorer

I was also confused why the Add-on is not working, but the reason lies in just one space))
Namely, in the REGEX line.
If you look at the incoming events, you can notice that there is a space between "CEF:" and its value ("0" in my case). That space is not counted in the default regular expression:

2021-08-16T12:11:47.000 fp-dlp.local CEF: 0|Forcepoint|Force....


So just replace the default REGEX line with this one: 

(.+)\s+CEF:\s*(\d+)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+?)(?<!\\)\|(.+)$

P.S. \s* means zero or unlimited spaces, so even if there is no space in some cases, the regex will still work correctly

Tags (1)
0 Karma

element1314
New Member

Any comment?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...