All Apps and Add-ons

Pulse Secure logs not matching any samples

Path Finder

I was wondering if anyone else has seen this.

I had the Pulse Sec admin send some logs to my syslog-ng server. I'm showing an example of the log below:

Mar 16 08:45:49 10.51.56.4 1 2020-03-16T13:45:49Z 192.168.2.1 PulseSecure: - - - 2020-03-16 13:45:49 - OmmitedName - [127.0.0.1] System()[] - ..Ommmted...

My logs are coming in with "PulseSecure: - - - 2020-03-16 13:45:49" which doesn't match any of the sample logs inside the TA. However, it appears to be expected since the TA is looking for "TIME_PREFIX = PulseSecure:\s-\s-\s-\s". Something still is not correct as evident by this extract not working properly:

EXTRACT-priority = ^\d+\s\<(?<priority>\d+)
EXTRACT-header = ^(?P<header>\d+)    

Obviously I could recreate these extractions but still trying to figure out what is happening incorrectly.

0 Karma

New Member

Hi, I appreciate this is sometime after the fact but I had the same challenge today. Looking carefully through the app there are few extractions taking place which is disappointing. I have put together a simple REGEX that will cover all the fields:


^(?:[^ \n]* ){4}(?P<user>\w+)[^ \n]* (?P<application>[^ ]+)\s+(?P<application_subprocess>[^ ]+)\s+(?P<pulse_pid>[^ ]+)\s+(?P<pulse_pid_alt>\w+)\s+(?P<process_detail>[^ ]+)(?:[^ \n]* ){2}(?P<message>.+)

 

  • - Simply create a new field extraction with the Pulse:connectSecure app using Splunk Web
  • - Change the permissions to allow it to be read globally as an inline search
  • - If necessary refresh debug your session or worst case restart splunk
  • - Your extractions should be available.
Tags (2)
0 Karma