Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk log filtering via Splunk Heavy forwarder

Sayanta_Basak_I
Explorer
‎08-10-2017 06:40 AM

Hello,

I have the the logs coming from our IPS coming in below format:

Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, IngressZone: Default-VRF-location, EgressZone: Prod-location DE: Primary Detection Engine (7eaa2610-2c9a-11e7-a3ec-f9112474357f), Policy: LO-Access-Policy, ConnectType: End, AccessControlRuleName: DefaultVRF to DCLAN, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 2, InitiatorBytes: 234, ResponderBytes: 136, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown

If I want to filter the events and pick only below information via a Heavy Forwarder will Splunk allow me to do that?

Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, ConnectType: End, AccessControlRuleAction: Allow, UserName: No Authentication Required

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-10-2017 11:21 AM

Side comment: If you don't already have a heavy forwarder in your environment, don't introduce one just to do the filtering unless you ensure you are not creating a bottleneck.
You can filter unwanted things on the indexer directly and filtered stuff does not count against your license.

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-10-2017 10:05 AM

Use props and transforms on the heavy forwarder.

Props.conf

[sourcetype/source/etc]
TRANSFORM-trim_event = trim_event

Transforms.conf

[trim_event]
DEST_KEY = _raw
REGEX = (.*UserName: .+?),
FORMAT = $1

You might have to adjust the regex based on your needs. I am not a regex wizard but base on your sample event that would capture what you want.

0 Karma
Reply

Sayanta_Basak_I
Explorer
‎08-14-2017 02:18 AM

Hello @mdsnmss

Thank you for your response. I am trying to understand how this might work before implementing it. Since your regex just includes username, does this mean only username info will be retained and I have to make similar comma separated inputs to onboard other infos. My requirement is to convert the source log dump to something limited as below

Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, ConnectType: End, AccessControlRuleAction: Allow, UserName: No Authentication Required

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-14-2017 05:38 AM

The way the regex works is it will capture everything between (). You can test by using something like https://regex101.com/. The capture group is setup with .* before username which means capture everything up to Username. Once it sees username it will continue to capture everything up until the next comma. So if all of your events are formatted the same as your original it should capture what you are looking for. There are probably better ways to create the capture group since I'm am not a regex expert. I'd welcome anyone else's input on the regex.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...