Hello to the community!
I am trying to alter the indexed value of a Sophos UTM logs in order to get mapped to CIM (https://docs.splunk.com/Documentation/CIM/4.11.0/User/NetworkTraffic).
Sophos UTM uses "accept" and "drop" and I want to change them respectively to "allowed" and "blocked" in order to get mapped to correctly to allowed and blocked traffic of the CIM.
Below you may find a sample of those logs:
2018:07:13-16:18:31 sophosutm-1 ulogd[6773]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="123" initf="eth1" outitf="eth2.665" srcmac="ec:bd:1d:71:26:31" dstmac="00:1a:8c:f0:ae:61" srcip="52.112.128.78" dstip="10.28.4.21" proto="6" length="40" tos="0x00" prec="0x00" ttl="117" srcport="50609" dstport="5061" tcpflags="ACK"
2018:07:13-16:18:31 sophosutm-1 ulogd[6773]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="68" initf="eth0" outitf="eth1" srcmac="00:26:99:14:b7:bf" dstmac="00:1a:8c:f0:ae:60" srcip="10.25.10.10" dstip="8.8.8.8" proto="17" length="70" tos="0x00" prec="0x00" ttl="126" srcport="53257" dstport="53"
2018:07:13-17:00:49 sophosutm-1 ulogd[6773]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="65" initf="eth2.667" outitf="eth1" srcmac="60:57:18:ae:a3:8f" dstmac="00:1a:8c:f0:ae:62" srcip="10.28.1.222" dstip="13.107.24.5" proto="17" length="58" tos="0x00" prec="0x00" ttl="127" srcport="64549" dstport="53"
I have the following configuration on my indexer:
/opt/splunk/etc/system/local/props.conf
[source::udp:514]
TRANSFORMS-null = setnullSOPHOSUTM,setnull_connection_refused_logs
TRANSFORMS-overrideDrupalLogs = override_for_drupal_logs
TRANSFORMS-overrideESXiLogs = override_for_esxi_logs
# alter accept to allowed and drop to blocked for utm logs
# in order to get mapped to CIM
SEDCMD-accept-to-allowed = s/action\=\"accept\"/action=\"allowed\"/g
SEDCMD-drop-to-blocked = s/action\=\"drop\"/action=\"blocked\"/g
However the results are not indexed as instructed in SED command. Can you imagine where is the issue?
Thanks,
Andreas
You are doing it wrong. Do not change the original raw data; use the Splunk Add-on for Sophos
TA here to change it at search-time:
According to this page: https://docs.splunk.com/Documentation/AddOns/released/Sophos/ConfigureSophosEnterprise Splunk Add-on for Sophos is for Enterprise Console, not Sophos UTM.