Archive

My muilti-line regex won't work after saving it for field extractions in a HPUX audit log

Communicator

Hello,

This is my regex, it works well using the rex command on the search bar of my app like this:

index=hpux tag=audit "bin/rm" | rex "(?m)^(?:.)\n^PID:\s+(?P<pid>[\S]+)\n^PPID:\s+(?P<ppid>[\S]+)\n^User\/Grp:\s+\S+((?P<user>[\S]+)\/(?P<group>[\S]+))\n(?:^.\n)+^Return1:\s+(?P<status>[\S]+)\n(?:^.\n)+^\s+given path = \"(?P<command>[\S]+)\"\n(?:^.\n)+^\s+arg\s#\d+\s=\s\"(?P<file>[\S]+)\""

This is my sample event:

Time:                   Fri Oct 14 11:00:00 16 EDT
PID:                    9368
PPID:                   9361
User/Grp:               0/3(root/sys)
Groups:                 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges:           "BASIC"
Permitted privileges:           "BASIC"
Retained privileges:            "BASIC"
Audit tag:              0:         0:(system):      (boot)
TTY:                    (none)
Return1:                0
Arg 1 (file info):                      
                    given path = "/usr/bin/rm"
                    inode = 204
                    device = 64, 0x7
                    mode = 0100555
                    owner uid/gid = 2/2
                    type = regular file
Arg 2 (argument list):                  
                    arg #1 = "rm"
                    arg #2 = "/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old"
Other (file info):                      
                    inode = -1
--------------------------------------------------------------------

So,
pid=9368
ppid=9361
user=root
group=sys
status=0
command=/usr/bin/rm
file=/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old

But when I paste it in a Field Extraction GUI, the preview works, then I save it under my app with Global permissions but my searches won't extract any of the fields.

Am I missing something? This usually works out of the box.

I'm running Splunk 6.4.1
Thanks for any help.

Tags (1)
0 Karma

Motivator

Try this please as I was able to extract it with this regex and all the fields showed up after extraction:

(?s)PID:\s+(?<pid>[^\D]+).*PPID:\s+(?<ppid>[^\D]+).*User\/Grp:\s+\S+\((?<user>[^\/]+)\/(?<group>[^\)]+)\).*Return1:\s+(?<status>[^\D]+).*given\s+?path\s+?=\s+?\"(?<command>[^\s\"]+).*arg\s+?\#\d\s+?=\s+?\"(?<file>[^\s\"]+).*

If it works, please accept the answer and up vote. Thanks!

Communicator

Thanks for your help, but I have decided to take another option since this type of log mutates a lot.

I decided to just keep the header part in one Field Extraction:

(?m)^(?:.)\n^PID:\s+(?P[\S]+)\n^PPID:\s+(?P[\S]+)\n^User\/Grp:\s+\S+((?P[\S]+)\/(?P[\S]+))\n

And then make several other Field Extractions for the rest of the commands:

^Return1:\s+(?P[\S]+)\n

^\s+given path = \"(?P[\S]+)\"\n

^\s+arg\s#\d+\s=\s\"(?P[\S]+)\""

Now the next problem I have is that I can have any number of "arg #N" and it would be nice to capture all them dynamically.

Any HP-UX audit log experts out there? 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!