Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forcepoint Proxy syslogs - Parsing questions

mooree
Path Finder
‎05-19-2017 04:02 AM

we're getting the syslogs exports from our Forcepoint appliances, using their standardised SIEM integration. The format of the output generally works except for "user".

Because the Forcepoint syslogger insists on listing the full LDAP path of the user, it's littered with commas and equals, but has no external delimiter:

user=LDAP://ldap.emea.company.loc OU=PST Disable Test,OU=Test,DC=emea,DC=Company,DC=loc/surname\, first

Splunk parses this as user= "LDAP://ldap.emea.company.loc"
can force remove teh Spaces with "_" using Forcepoint's escape sequences, which results in:

user=LDAP://ldap.emea.company.loc_OU=PST_Disable_Test,OU=Test,DC=emea,DC=company,DC=loc/surname_,_first

which Splunk interprets as:

user = "LDAP://ldap.emea.company.loc_OU=PST_Disable_Test"

any suggestions as to how i can delimit or replace the field to just contain something Splunk can recognise?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

mooree
Path Finder
‎05-22-2017 01:52 AM

That's the crux of the issue. There's nothing obvious to use. In fact characters within the value are reasonably being interpreted as the terminator.

I either need to teach the Forcepoint Appliance how to write it's log better, or hope some Splunking Hero has figured out how to get Splunk to parse this better.

Eric

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mooree
Path Finder
‎05-22-2017 01:52 AM

That's the crux of the issue. There's nothing obvious to use. In fact characters within the value are reasonably being interpreted as the terminator.

I either need to teach the Forcepoint Appliance how to write it's log better, or hope some Splunking Hero has figured out how to get Splunk to parse this better.

Eric

0 Karma
Reply
Solved! Jump to solution

mooree
Path Finder
‎05-26-2017 11:37 AM

Found my own answer: https://answers.splunk.com/answers/453509/websense-stripping-ldap-ou-dc-strings-from-user-fi.html

I also downloaded the Websense plug CIM module for Splunk, which contains this already.

https://splunkbase.splunk.com/app/2966/

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎05-20-2017 07:29 PM

What DOES delimit the user field? If it's not a space, not a comma, what would tell one that the end of the user string is there?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...