I'm trying to get vulnerability data from a Nessus 4 nbe file. Here is my inputs.conf entry:
[monitor:///usr/share/ossim/www/vulnmeter/tmp/*.out] crcSalt = <SOURCE> disabled = false index = default sourcetype = nessus host_regex = .*?\|.*?|(.*?)\|
The output of the file looks like:
timestamps||192.168.250.84|host_start|Thu Dec 9 15:27:16 2010| results|192.168.250|192.168.250.78|snmp (161/udp)|10800|Security Note|\nSynopsis :\n\nThe System Information of the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the system information about the remote\nhost by sending SNMP requests with the OID 126.96.36.199.188.8.131.52.\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution :\n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nSystem information :\n sysDescr : Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)\r\nTechnical Support: http://www.cisco.com/techsupport\r\nCopyright (c) 1986-2010 by Cisco Systems, Inc.\r\nCompiled Wed 21-Apr-10 05:33 by prod_rel_team\n sysObjectID : 184.108.40.206.220.127.116.11.564\n sysUptime : 19d 4h 38m 12s\n sysContact : email@example.com\n sysName : TrainSwA.jambajuice.com\n sysLocation : SupportCenter\n sysServices : 6\n\n
I've run searches and used the | regex =_raw=".?\|.?|(.*?)\|" and it captures events.
I've also tried the following regex:
(?i)^results|timestamp\|.*\|(.*)\|`enter code here`
When I use any of these the host field is always the machine that processed the config file.
What am I doing wrong?
The host_regex parameter in the [monitor] stanza of inputs.conf works on the filename-- not the event data itself. Check out http://www.splunk.com/base/Documentation/4.2.2/Data/Setadefaulthostforaninput
[Add host_regex = <regular expression> to override the host field with a value extracted using a regular expression. [monitor://<path>] host_regex = $YOUR_REGEX The regular expression extracts the host value from the filename of each input. The first capturing group of the regex is used as the host. Note: If the regex fails to match, the default host = attribute is set as the host.]
You will need to use the field override approach described by hulahoop.
Your RegEx will match multiple times in the sample data -- probably why it isn't working. You should add a leading ^ to force the RegEx to match only from the beginning of the line.
I would write the RegEx like this:
This RegEx will match 192.168.250.84 as the host.
Not sure why host_regex is not working. Have you tried configuring it as an index-time field override?
[nessus] TRANSFORMS-nessus = setHost
[setHost] DEST_KEY = MetaData:Host REGEX = .?\|.?|(.*?)\| FORMAT = host::$1
You will need to restart Splunk for this to take effect and it will only apply to new incoming events, not retroactively.