All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy
Explorer
‎07-13-2015 06:02 AM

For me I found that the TA_pfsense searches for openVPN connections was not returning all the VPN user log entries..

I discovered that it works just fine with a username, however some of my usernames are their e-mail addresses so contain @-. which were not part of the REGEX..

here's my updated REGEX entry "transforms.conf" file:

[openvpn_auth_ok]
CLEAN_KEYS = 0
FORMAT = user::$1 src::$2 vendor_action::$3
REGEX = :\s+([\w\@\-\.]+)/([^:]+):\d+\s+(MULTI_sva)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FireESplunkGuy
Explorer
‎07-14-2015 12:25 AM

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)

View solution in original post

Reply
Solved! Jump to solution
Solution

FireESplunkGuy
Explorer
‎07-14-2015 12:25 AM

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)
Reply
Solved! Jump to solution

ppablo
Retired
‎07-13-2015 05:07 PM

Hi @FireESplunkGuy

Did you create this post to share the solution that worked for you, or did you actually have a question you needed help with? If you were just posting this out of the kindness of your heart, don't forget to actually post the official answer in the "Enter your answer here..." box at the bottom of this page and click "Accept" on the answer after it has been posted. That will show the post as actually resolved and can prove useful to other users when searching this site. Once you do that, I'll be sure to upvote it 😉 Thanks!

Patrick

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 06:28 AM

Pretty sure that as it is, the markup messed up your regex. Please format it as code.

0 Karma
Reply
Solved! Jump to solution

FireESplunkGuy
Explorer
‎07-13-2015 06:36 AM

Sorry about that.. just pasting quickly... \w only matches on A-Za-z0-9, so misses the '@', '-', '.' which can be seen in e-mails..

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 06:59 AM

Thats better. Thanks for sharing 🙂

Now, from what I've seen usernames can usually contain any non-whitespace characters, so maybe \S is easier than giving a long, explicit list of allowed characters.

Reply
Solved! Jump to solution

FireESplunkGuy
Explorer
‎07-13-2015 07:17 AM

Yup that's much better! 🙂

0 Karma
Reply
Solved! Jump to solution

FireESplunkGuy
Explorer
‎07-13-2015 07:18 AM

BTW.. https://regex101.com is a great site to test out your REGEX

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎07-13-2015 07:22 AM

That's what I always recommend as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...