All Apps and Add-ons

Splunk TA for Password Manager Pro: I've set the sourcetype in the syslog input, but why are fields not being extracted?

alexlomas
Path Finder

I've set the sourcetype in the syslog input to be 'passman' - events are being ingested, but fields aren't being extracted. The tag of 'account' is being added though. Have I set the wrong type?

0 Karma

atellez_splunk
Splunk Employee
Splunk Employee

The TA uses sourcetype pipelines in order to "match" the event to three different types of logs: pmp_resource, pmp_login, pmp_notification. If the fields are failing to extract the syslog output from your appliance might not match the regular expressions found in the TA. An easy way to test this is to copy some logs into a regex editor (regex101.com) and use the EXTRACT regexes to test that the regexes are valid against your logs.

Example for pmp_resource logs:

EXTRACT-passman=(?P<date>\d+\-\d+\-\d+\s\d+\:\d+\:\d+)\s(?P<facility>\w+\.\w+)\s(?P<program>\w+)\s(?P<otherdate>\w+\s\d+\s\d+\:\d+\:\d+)\s(?P<host>\w+)\s(?P<logged_in_username>\S+)\:(?P<src>\S+)\s(?P<operation_type>\S+)\s(?P<operated_time>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)\s(?P<status_of_operation>\w+)\s(?P<pmp_server_name>\S+)\s(?P<dest>\S+)\:(?P<user>\S+)\:(?P<reason>\S+)

alexlomas
Path Finder

Thanks - looks like the extracts in the TA no longer match what PMP is sending then.

0 Karma

knicholson0
Engager

Yes. I'm on PMP Version: 9.1.0 / Build Number: 9101 and the date format being sent to Syslog is not in a valid ISO 8601 date, such as "2004-05", but rather "Mar 2" [sic]. So much for this statement from Manage Engine "A RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol"

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...