All Apps and Add-ons

pfsense:syslog (openvpn) usernames not being extracted properly

bradp1234
Path Finder

The openVPN log extract for TA-pfsense version 1.1 was not working for my pfsense 2.1.5 which runs openvpn 2.3.3. The src ip and usernames are not being extracted properly.

Tags (1)
0 Karma
1 Solution

bradp1234
Path Finder

I was able to resolve this issue by modifying the transforms in the TA-pfsense app. The problem with the usernames was with the field transform pfsense_syslog_user_subject_04. It was not able to handle the '.' in the username format we use. The problem with the src ip was a missing space. Below are my regex changes.

openvpn: user \'(.*?)\' authenticated
openvpn.* (\d+\.\d+\.\d+\.\d+):(\d+)

View solution in original post

bradp1234
Path Finder

I was able to resolve this issue by modifying the transforms in the TA-pfsense app. The problem with the usernames was with the field transform pfsense_syslog_user_subject_04. It was not able to handle the '.' in the username format we use. The problem with the src ip was a missing space. Below are my regex changes.

openvpn: user \'(.*?)\' authenticated
openvpn.* (\d+\.\d+\.\d+\.\d+):(\d+)

my2ndhead
SplunkTrust
SplunkTrust

Will fix it in a future release...

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...