All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy
Explorer
‎07-13-2015 06:02 AM

For me I found that the TA_pfsense searches for openVPN connections was not returning all the VPN user log entries..

I discovered that it works just fine with a username, however some of my usernames are their e-mail addresses so contain @-. which were not part of the REGEX..

here's my updated REGEX entry "transforms.conf" file:

[openvpn_auth_ok]
CLEAN_KEYS = 0
FORMAT = user::$1 src::$2 vendor_action::$3
REGEX = :\s+([\w\@\-\.]+)/([^:]+):\d+\s+(MULTI_sva)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FireESplunkGuy
Explorer
‎07-14-2015 12:25 AM

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)

View solution in original post

Reply
Solved! Jump to solution
Solution

FireESplunkGuy
Explorer
‎07-14-2015 12:25 AM

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)
Reply
Solved! Jump to solution

ppablo
Retired
‎07-13-2015 05:07 PM

Hi @FireESplunkGuy

Did you create this post to share the solution that worked for you, or did you actually have a question you needed help with? If you were just posting this out of the kindness of your heart, don't forget to actually post the official answer in the "Enter your answer here..." box at the bottom of this page and click "Accept" on the answer after it has been posted. That will show the post as actually resolved and can prove useful to other users when searching this site. Once you do that, I'll be sure to upvote it 😉 Thanks!

Patrick

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 06:28 AM

Pretty sure that as it is, the markup messed up your regex. Please format it as code.

0 Karma
Reply
Solved! Jump to solution

FireESplunkGuy
Explorer
‎07-13-2015 06:36 AM

Sorry about that.. just pasting quickly... \w only matches on A-Za-z0-9, so misses the '@', '-', '.' which can be seen in e-mails..

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 06:59 AM

Thats better. Thanks for sharing 🙂

Now, from what I've seen usernames can usually contain any non-whitespace characters, so maybe \S is easier than giving a long, explicit list of allowed characters.

Reply
Solved! Jump to solution

FireESplunkGuy
Explorer
‎07-13-2015 07:17 AM

Yup that's much better! 🙂

0 Karma
Reply
Solved! Jump to solution

FireESplunkGuy
Explorer
‎07-13-2015 07:18 AM

BTW.. https://regex101.com is a great site to test out your REGEX

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 07:22 AM

That's what I always recommend as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...
Top