All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"trendmicro" stanza typo in props.conf EVAL-severity expression

morganfw
Path Finder
‎01-09-2019 08:38 AM

Hi,
I've installed TA-trendmicro_cm_cef (Control Manager) v1.0.2 and splunkd.log reported following warning message

WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ).

I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly

EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical")

I've created a workaround in local/props.conf and pasted corrected strings for above eval expression

[trendmicro]
KV_MODE = none
REPORT-trendmicro_cef = trendmicro_cef
REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys
EVAL-date = date_month+" "+date_mday+" "+date_year
EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred")
EVAL-severity = case(CLF_SeverityCode="0", "Unknown",  CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical")
EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail)
EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser)
EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst)
EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)
FIELDALIAS-file_name = fname AS file_name
FIELDALIAS-file_path = filePath AS file_path
EVAL-product = "TrendMicro"
FIELDALIAS-product_version = VLF_PatternNumber AS product_version
EXTRACT-act = act=(?P<act>.+?) [\w\d]+=
EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+=
EXTRACT-fname = fname=(?P<fname>.+?)\s\w+=
EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+=
EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+=
FIELDALIAS-dest = dhost AS dest
FIELDALIAS-dest1 = shost AS dest

Is it possible to fix typo in next TA release?
Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inmanr
Engager
‎01-22-2019 03:10 PM

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

inmanr
Engager
‎01-22-2019 03:10 PM

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

0 Karma
Reply
Solved! Jump to solution

nhdpotter
Explorer
‎01-09-2019 02:34 PM

Hi. Thank you for the bugfix. For now I will update the app description to include the fix.

For future release I can correct this.

Do you happen to have any sample logs you could share with me? I developed the app with very minimal samples and would like to expand the addon if possible. But i don't have access to a Trend CM server.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...