Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

pftop parsing

danlynch
New Member
‎03-01-2013 10:52 AM

Hello,
I've added a unix script to that identifies all NATed traffic across my BSD firewall (pf):

/usr/local/sbin/pftop -ab -v long -w 140

The output is in this format:

PR    DIR SRC  DEST   GW  STATE  AGE       EXP  PKTS BYTES   AVG RU

in props.conf I have:

[pftop]
SHOULD_LINEMERGE = false
LINE_BREAKER = ^()$
TRUNCATE = 1000000
DATETIME_CONFIG = CURRENT
REPORT-pftop_fields = pftop_fields

in transforms.conf:

[pftop_fields]
REGEX = (tcp|udp) (in|out) (\d+\.\d+\.\d+\.\d+)\:?(\d*) (\d+\.\d+\.\d+\.\d+)\:?(\d*) (\d+\.\d+\.\d+\.\d+)\:?(\d*)   (\w+) (\d*) (\d*) (\d*) (\d*) (\d*) (\d*)
FORMAT = proto::$1 direction::$2 src_ip::$3 src_port::$4 dest_ip::$5 dest_port::$6 gw_ip::$7 gw_port::$8 state::$9 age::$10 expires::$11 packets::$12 bytes::$13 ave::$14 rule_number::$15
CLEAN_KEYS = 1
MV_ADD = 0

My problem is that splunk is parsing the output so each time the script runs it is seen as one event. Not only would I like to be able to see individual connects but also search on some of the key variables. netstat is experiencing the same difficulties on my system. Any help would be appreciated.

Update 2 Mar 13:
I reformated the the stdout, but I'm not sure how you would add a timestamp to each line. Below is the code for the shell script:

. `dirname $0`/common.sh
HEADER='PR     DIR    SRC                     DEST                   GW                   STATE                   AGE         EXP          PK
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-5s  %-5s  %-21s  %-21s  %-21s %-23s %-10s  %-10s  %6s  %6s  %5s  %3s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}'
CMD='eval /usr/local/sbin/pftop -ab -v long -w 140 | grep "tcp\|udp\|icmp"'
FORMAT='{gsub("[46]","",$1); if(!$12) { for (j=13; j>5; j--) $j=$(j-1); $5="N/A"} }'
assertHaveCommand $CMD
$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $FIGURE_SECTION $FILTER $FORMAT $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

Sample output:

PR  DIR SRC             DEST           GW  STATE                   AGE        EXP      PKTS BYTES AVG RU
tcp Out 127.0.0.1:14801 127.0.0.1:7736 N/A ESTABLISHED:ESTABLISHED 503:29:07  00:05:58 42K    200M  115 1
Tags (1)
0 Karma
Reply

Ayn
Legend
‎03-01-2013 11:08 AM

Turn off line merging.

In props.conf:

SHOULD_LINEMERGE = false
0 Karma
Reply

danlynch
New Member
‎03-02-2013 12:21 PM

It is set to false but it doesn't seem to help

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎03-01-2013 11:02 AM

I've found the easiest away around this to reformat the stdout of the info to create an "event" with strict field assignments and a time data stamp so that when Splunk reads it it will be indexed by the time format I set in the props.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...