Alerting

Alert on Local Linux Firewall Starting/Stopping - Advice For Report/Alert Output

SplunkLunk
Path Finder

Good morning,

I have a query that looks for when a local firewall on my Linux systems are stopped or started. The query looks like:

index=* host=* source=/var/log/messages "starting IPv4 firewall" OR "Stopping IPv4 firewall"

It works great and it catches what I'm looking for. The process used is systemd and the output is "Starting IPv4 firewall with iptables...". However, the output isn't in a specific field that I can drop in a table like I can with a Windows host. Ideally I'd like to include the text Starting IPv4 . . . (or Stopping) in a table with a column heading "Status" along with the time, host name, etc.. Should I use the field extractor for the text or since the text is always static try to build that into a table somehow? Time and host name are no problem as far as a table. Any advice on the best way to present this in a table would be appreciated. Thanks.

Tags (1)
0 Karma
1 Solution

niketn
Legend

You can use searchmatch function meanwhile to build table with your eval field.

 index= host= source=/var/log/messages "starting IPv4 firewall" OR "Stopping IPv4 firewall"
| eval FirewallStatus=if(searchmatch("starting IPv4 firewall"),"Starting","Stopping")
| table _time, host, FirewallStatus 

Creating a field extraction just for identifying Status ,where such Starting/Stopping events might be of very insignificant volume compared to all the other events for the same sourcetype, might not improve any performance. Since this seems to be standard log, can you see if you have message field available on all events and whether they all can be extracted as a Message field, then you can later use eval and other transforming/extracting commands on the Message field itself.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

You can use searchmatch function meanwhile to build table with your eval field.

 index= host= source=/var/log/messages "starting IPv4 firewall" OR "Stopping IPv4 firewall"
| eval FirewallStatus=if(searchmatch("starting IPv4 firewall"),"Starting","Stopping")
| table _time, host, FirewallStatus 

Creating a field extraction just for identifying Status ,where such Starting/Stopping events might be of very insignificant volume compared to all the other events for the same sourcetype, might not improve any performance. Since this seems to be standard log, can you see if you have message field available on all events and whether they all can be extracted as a Message field, then you can later use eval and other transforming/extracting commands on the Message field itself.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkLunk
Path Finder

Thanks. That works great! Appreciated!

0 Karma

SplunkLunk
Path Finder

Is there another function that can be used to search multiple values? For example, our RHEL6 and RHEL7 systems display different messages is the firewall is stopped/started. So Now I want to search for "iptables has been started" OR "starting IPv4 firewall" OR "Stopping IPv4 firewall" OR "iptables has been stopped". I want to return a status of "Starting" if either of the first two search results come back and "Stopping" if either of the second two search results come back. Since if only accepts TRUE/FALSE it doesn't appear I can add more than two search terms. I tried the following and got the message about only handling boolean values:

index=* host=* source=/var/log/messages "Starting IPv4 firewall" OR "Stopping IPv4 firewall" OR "iptables has been started" OR "iptables has been stopped"
|eval FirewallStatus=if(searchmatch("Starting IPv4 firewall" OR "iptables has been started"),"Firewall Started","Firewall Stopped")
|sort -_time
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(_time) AS Time
|Rename host AS Host, FirewallStatus AS "Firewall Status"
|table Time, Host, "Firewall Status"

Any help would be appreciated. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...