Getting Data In

Filter a syslog to only a couple fields, make into a report

ravenind
New Member

Pardon my brand-newness to Splunk, please. I just installed it. 😉

We have a Sourcefire unit that we would like to pull Connection Events out of to use it for web filter reporting. I am pushing Events in to Splunk and each Syslog event has the data(fields) that I need - User:, URL:, date_hour.

At the most basic level, I simply need to be able to create a report to search for say, "User123" from the User: field and only show User/URL/Date in a very readable report. What is the easiest way to do this? Keep in mind the syslog data is already coming in so I just need to filter and make it readable for these few fields.

If I can get this basic need handled, management will allow me to use Splunk as our web filtering platform and then I can have a hayday playing with all the other fun features.

Please help, thanks!

Tags (2)
0 Karma

ravenind
New Member

Sure! Here are 2 example syslog entries. Note the date/time at the beginning, the URL:, and the User: sections. I did choose 'Extract Fields' and it appeared to be able to single out the 3 fields that I was most concerned with. I just don't know how to make a simple report from those 3 fields. I appreciate your responses, satishsdange!

2015-03-17 00:00:15 Syslog.Alert 10.24.100.2 Mar 16 13:50:46 SET-ASASFR SFIMS: [Primary Detection Engine (3fb65e80-3ea7-11e4-ae31-d6323923abe1)][Default Access Control] Connection Type: End, User: mav2, Client: SSL client, Application Protocol: HTTPS, Web App: MS Office 365, Access Control Rule Name: LogWebTraffic, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Internet Portals, URL Reputation: High risk, URL: https://nexus.officeapps.live.com, Interface Ingress: Inside, Interface Egress: Outside, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 8, Responder Packets: 9, Initiator Bytes: 1434, Responder Bytes: 6780, Context: unknown {TCP} 10.24.100.78:55118 -> 167.73.254.109:443

2015-03-17 00:01:25 Syslog.Alert 10.24.100.2 Mar 16 13:50:47 SET-ASASFR SFIMS: [Primary Detection Engine (3fb65e80-3ea7-11e4-ae31-d6323923abe1)][Default Access Control] Connection Type: End, User: rad2, Client: Microsoft CryptoAPI, Application Protocol: HTTP, Web App: Microsoft, Access Control Rule Name: LogWebTraffic, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Business and Economy, URL Reputation: High risk, URL: http://crl.microsoft.com/pki/crl/products/tspca.crl, Interface Ingress: Inside, Interface Egress: Outside, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: 6.1, Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 17, Responder Packets: 9, Initiator Bytes: 2799, Responder Bytes: 2083, Context: unknown {TCP} 10.24.100.91:62157 -> 74.73.232.50:80

0 Karma

ravenind
New Member

Still struggling with what seems it should be very simple. Does anyone else have any recommendations? Thanks!

0 Karma

satishsdange
Builder

Could you please share some sample data?

0 Karma

ravenind
New Member

It would appear that the eStreamer does not have an option to output Connection Events, only other types of events.

I am really looking for a most simple type of report, are there any other suggestions?

0 Karma

ravenind
New Member

I am looking in to it as we speak, but it appears to require a bit more time and involvement to set up. I am sure long term this is probably the way to go, but I already have the Syslog pulling in data and would like to be able to create a simple report off of what I have already. As mentioned, if I can prove that this simple report is possible, management will allow me to use Splunk at which time I can take a more full-featured approach.

Thank you.

0 Karma

satishsdange
Builder

Did you get a chance to look at this https://apps.splunk.com/app/1808/. This add-on can certainly help you to extract data & create cool reports.
You amy also look at Cisco Security Suite https://apps.splunk.com/app/525/.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...