Archive

host_regex isn't working...

Communicator

I'm trying to get vulnerability data from a Nessus 4 nbe file. Here is my inputs.conf entry:

[monitor:///usr/share/ossim/www/vulnmeter/tmp/*.out]
crcSalt = <SOURCE>
disabled = false
index = default
sourcetype = nessus
host_regex = .*?\|.*?|(.*?)\|

The output of the file looks like:

timestamps||192.168.250.84|host_start|Thu Dec  9 15:27:16 2010|

results|192.168.250|192.168.250.78|snmp (161/udp)|10800|Security Note|\nSynopsis :\n\nThe System Information of the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the system information about the remote\nhost by sending SNMP requests with the OID 1.3.6.1.2.1.1.1.\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution :\n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nSystem information :\n sysDescr     : Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)\r\nTechnical Support: http://www.cisco.com/techsupport\r\nCopyright (c) 1986-2010 by Cisco Systems, Inc.\r\nCompiled Wed 21-Apr-10 05:33 by prod_rel_team\n sysObjectID  : 1.3.6.1.4.1.9.1.564\n sysUptime    : 19d 4h 38m 12s\n sysContact   : itechsupport@jambajuice.com\n sysName      : TrainSwA.jambajuice.com\n sysLocation  : SupportCenter\n sysServices  : 6\n\n

I've run searches and used the | regex =_raw=".?\|.?|(.*?)\|" and it captures events.

I've also tried the following regex:

(?i)^results|timestamp\|.*\|(.*)\|`enter code here`

When I use any of these the host field is always the machine that processed the config file.

What am I doing wrong?

Thx.

Craig

Tags (1)

Splunk Employee
Splunk Employee

The host_regex parameter in the [monitor] stanza of inputs.conf works on the filename-- not the event data itself. Check out http://www.splunk.com/base/Documentation/4.2.2/Data/Setadefaulthostforaninput

Excerpt:

[Add host_regex = <regular expression> to override the host field with a value extracted using a regular expression.

[monitor://<path>]
host_regex = $YOUR_REGEX
The regular expression extracts the host value from the filename of each input. The first capturing group of the regex is used as the host.

Note: If the regex fails to match, the default host = attribute is set as the host.][1]

You will need to use the field override approach described by hulahoop.

Splunk Employee
Splunk Employee

Your RegEx will match multiple times in the sample data -- probably why it isn't working. You should add a leading ^ to force the RegEx to match only from the beginning of the line.

I would write the RegEx like this:

^[^|]*?\|[^|]*?\|([^|]*)?\|

This RegEx will match 192.168.250.84 as the host.

Splunk Employee
Splunk Employee

Not sure why host_regex is not working. Have you tried configuring it as an index-time field override?

props.conf:

[nessus]
TRANSFORMS-nessus = setHost

transforms.conf:

[setHost]
DEST_KEY = MetaData:Host
REGEX = .?\|.?|(.*?)\|
FORMAT = host::$1

You will need to restart Splunk for this to take effect and it will only apply to new incoming events, not retroactively.