Hi splunkers,
I need to enrich the Checkpoint Firewall logs with the username in my corporate VPN logs.
On a first sourcetype, I have the name of the user with his DHCP IP address in the VPN (field name : office_mode_ip).
On a second sourcetype, I have the firewall traffic log with this same DHCP IP (field name : src).
The DHCP has a 10h lease.
I do not find how to get the associated user for each Firewall log. How can i make a join over the same time range to avoid error on DHCP lease change?
The first log with login details ==> user=Alain DUBOIS 123 (Alain.dubois@mydomain.com), office_mode_ip=10.245.131.237
time=1570087243|loc=1589977|fileid=1570053600|action=authcrypt|orig=0.0.0.0|i/f_dir=inbound|has_accounting=0|logId=-1|log_type=log|log_sequence_num=119|is_first_for_luuid=0|log_version=5|origin_sic_name=CN=FW_VPN01,O=vu.jmsp.prod.sq5ad5|uuid=<5d95a14b,00000000,0140a30a,0000116d>|product=xxxxxxxx|cvpn_category=Session|event_type=Login|client_name=Check Point Mobile|client_version=xxxxx|client_build=xxxxxxx|user=Alain DUBOIS 123 (Alain.dubois@mydomain.com)|auth_method=Password|login_option=Authentification IPSEC|failed_login_factor_num=0|user_dn=CN=Dominique ROBERT 841,OU=Administrateurs,OU=W7,OU=841-Utilisateurs,DC=mydomain,DC=com|user_group=GrpLDAP_VPNSSL, ad_group_VPNSSL_238285|host_type=PC|os_name=Windows|os_version=10|os_build=17763|os_bits=64bit|device_identification={xxxxxxxxxxxxxxxxxxxxxxxxxxx}|session_timeout=10:00:00|login_timestamp= 3Oct2019 9:20:43|src=aa.bb.cc.dd|host_ip=192.168.1.212|office_mode_ip=10.245.131.237|s_port=0|proto=tcp|service=443|tunnel_protocol=IPSec|methods:=3DES + SHA1|status=Success|Suppressed_Logs=0|mac_address=50:76:af:3a:eb:57|Hostname=p0006841|domain_name=mydomain.com|auth_encryption_methods=AES-256 + SHA1 + Group 2
then, the second sourcetype with src=10.245.131.237
time=1570087396|loc=1622048|fileid=1570053600|action=decrypt|orig=aa.bb.cc.dd|i/f_dir=inbound|i/f_name=wrp193|has_accounting=0|logId=0|log_type=connection|log_sequence_num=52|is_first_for_luuid=131072|log_version=5|origin_sic_name=CN=FW_VPN01,O=vu.jmsp.jmsp.prod.sq5ad5|uuid=<5d95a1e4,00000009,0140a30a,c0001800>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={xxxxxxxxxxxxxxxxxxxxxxxxx};mgmt=xxxxxxx;date=1570034884;policy_name=Regles_VS_VPN01]|inzone=External|outzone=Internal|service_id=cp_tcp_xxxxxxxxxx|src=10.245.131.237|s_port=49438|dst=10.160.16.247|service=10123|proto=tcp|scheme:=IKE|methods:=ESP: 3DES + SHA1|peer gateway=10.245.131.237|community=RemoteAccess|fw_subproduct=VPN-1|vpn_feature_name=VPN|LastUpdateTime= 3Oct2019 9:23:16|match_id=19|match_table.match_id=19|layer_uuid=129b5909-9ae6-48d5-8ee6-0dfb64ca827f|match_table.layer_uuid=129b5909-9ae6-48d5-8ee6-0dfb64ca827f|layer_name=Regles_VS_VPN01 Network|match_table.layer_name=Regles_VS_VPN01 Network|rule_uid=fbe622a8-fa24-4fe1-b372-bc63f23eb6f9|match_table.rule_uid=fbe622a8-fa24-4fe1-b372-bc63f23eb6f9|rule_name=Flux nomades|match_table.rule_name=Flux |rule_action=2|match_table.rule_action=2|parent_rule=0
I can get a real time list of DHCP adress affected with
index="checkpoint_vpnssl" event_type=Login | stats latest(user_dn) by office_mode_ip
, but how to link each fw log and this result in a way to have updated couple of user / IP?
Any idees ?
Thanks
There's a variety of ways to do this.
One I've had success with is to take your second search and create a time based lookup out of it. This will of course involve actually creating a lookup out of it in the first place, but that's also documented. There's a third, possibly more thorough, look at time based lookups here. A key point here is all those links came from the top couple of hits when I searched the web for "splunk create lookup time", so more examples and help should be easy to come across.
The lookup that you create can be scheduled to run fairly often, like once every 5 minutes, or even every minute. There's a tutorial you can probably adapt to help with this. This uses a KV store collection instead of a CSV based lookup, but that's fine and possibly better in this case anyway.
Then you can set that up to happen automatically (see those first links for instructions), or add it in manually like my search here | lookup fieldinlookup AS fieldnameinevents OUTPUT ...
Hopefully this helps!
Happy Splunking,
Rich
Once you have that,
After some research and test about kvstore, all is OK now.
If that helps, here are all the files needed in one app
Create an app with these files :
AppName/local/app.conf
[install]
state = enabled
[package]
check_for_updates = false
[ui]
is_visible = false
is_manageable = false
label = Checkpoint DHCP KvStore - TA
[launcher]
author = Olivier CALMELS
description = Automaticaly link Checkpoint DHCP logs with firewall log to merge them in the specified time rage
version = 1.5
AppName/local/collections.conf
# KVSTORE definition to save a timeline of IP / User / time entries.
# This KVSTORE is filled with a scheduled search every minute that append results to the KV Store
# "fileds.*****" are the same than the scheduled search results
[VPN-SSL_DHCP_collection]
field.office_mode_ip = string
field.domain_name = string
field._time = string
field.user_dn = string
# Acceleration in this KvStore
accelerated_fields.my_accel = {"user_dn": 1}
# My architecture has 3 indexers, so ==> Replication
replicate = true
AppName/local/transforms.conf
# Lookup definition that links the lookup with the KvStore and allow to querry the KvStore defined in collections.conf
[VPN-SSL_DHCP_lookup]
external_type = kvstore
collection = VPN-SSL_DHCP_collection
case_sensitive_match = False
fields_list = _key,_time,office_mode_ip,domain_name,user_dn
# The fileds time_* are necessary to set time based lookup
time_field = _time
time_format = %s
AppName/local/props.conf
# Automate the link between the firewall logs and the KvStore.
# If the IP match (office_mode_ip AS src ) domain_name et user_dn are appended to the results
# This props is limited to one host for automatic lookup.
[host::CheckPointManagerName]
LOOKUP-VPNSS_Automatic_Lookup = VPN-SSL_DHCP_lookup office_mode_ip AS src OUTPUTNEW domain_name AS domain_name user_dn AS user_dn
AppName/local/savedsearches.conf
[Do-Not-Click_VPN-SSL_Office-Mode_DHCP_KvStore_Filling]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = */1 * * * *
dispatch.earliest_time = -1min@min
dispatch.latest_time = -0min@min
enableSched = 1
search = index="checkpoint_vpnssl" event_type=Login | stats values(user_dn) by office_mode_ip domain_name _time | rename values(user_dn) as user_dn | outputlookup append=true VPN-SSL_DHCP_lookup
There's a variety of ways to do this.
One I've had success with is to take your second search and create a time based lookup out of it. This will of course involve actually creating a lookup out of it in the first place, but that's also documented. There's a third, possibly more thorough, look at time based lookups here. A key point here is all those links came from the top couple of hits when I searched the web for "splunk create lookup time", so more examples and help should be easy to come across.
The lookup that you create can be scheduled to run fairly often, like once every 5 minutes, or even every minute. There's a tutorial you can probably adapt to help with this. This uses a KV store collection instead of a CSV based lookup, but that's fine and possibly better in this case anyway.
Then you can set that up to happen automatically (see those first links for instructions), or add it in manually like my search here | lookup fieldinlookup AS fieldnameinevents OUTPUT ...
Hopefully this helps!
Happy Splunking,
Rich
Once you have that,