All Apps and Add-ons

TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy
Explorer

For me I found that the TA_pfsense searches for openVPN connections was not returning all the VPN user log entries..

I discovered that it works just fine with a username, however some of my usernames are their e-mail addresses so contain @-. which were not part of the REGEX..

here's my updated REGEX entry "transforms.conf" file:

[openvpn_auth_ok]
CLEAN_KEYS = 0
FORMAT = user::$1 src::$2 vendor_action::$3
REGEX = :\s+([\w\@\-\.]+)/([^:]+):\d+\s+(MULTI_sva)
0 Karma
1 Solution

FireESplunkGuy
Explorer

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)

View solution in original post

FireESplunkGuy
Explorer

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)

ppablo
Retired

Hi @FireESplunkGuy

Did you create this post to share the solution that worked for you, or did you actually have a question you needed help with? If you were just posting this out of the kindness of your heart, don't forget to actually post the official answer in the "Enter your answer here..." box at the bottom of this page and click "Accept" on the answer after it has been posted. That will show the post as actually resolved and can prove useful to other users when searching this site. Once you do that, I'll be sure to upvote it 😉 Thanks!

Patrick

0 Karma

jeffland
SplunkTrust
SplunkTrust

Pretty sure that as it is, the markup messed up your regex. Please format it as code.

0 Karma

FireESplunkGuy
Explorer

Sorry about that.. just pasting quickly... \w only matches on A-Za-z0-9, so misses the '@', '-', '.' which can be seen in e-mails..

0 Karma

jeffland
SplunkTrust
SplunkTrust

Thats better. Thanks for sharing 🙂

Now, from what I've seen usernames can usually contain any non-whitespace characters, so maybe \S is easier than giving a long, explicit list of allowed characters.

FireESplunkGuy
Explorer

Yup that's much better! 🙂

0 Karma

FireESplunkGuy
Explorer

BTW.. https://regex101.com is a great site to test out your REGEX

0 Karma

jeffland
SplunkTrust
SplunkTrust

That's what I always recommend as well.

0 Karma
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...