Hi,
Are there any available applications to address the issue of incorrect parsing of secret server logs in Splunk cloud?
Thnks
We covered that yesterday. You need a regular expression that matches the field name and value.
[mysourcetype]
SEDCMD-rm_cs2 = s/(cs2=.*?(cs|\s*$))/\2/
SEDCMD-rm_cs2Label = s/(cs2Label=.*?(cs|\s*$))/\2/The regexes look for either "cs2" or "cs2Label" followed by any characters up to the next field or the end of the event. They replace it with the following field to avoid breaking that field.
@richgalloway ,
We can do the Event Action Extract Fields instead on creating the props/transforms right ?
Thanks
I believe you can do that.
Hi @richgalloway ,
Can we use general regex to extract all the fields having key value pair.
I have installed a custom app on another SH, where we typically install all apps to distribute the load, but it is not reflecting (the configurations are not working) on another SH in ES. What could be the reason?
In the custom app, the object owner is not showing any user after installation. How can we change it under all configurations in the UI of SH, we doesn't have backend access.
Thanks
The preferred way to parse key/value pairs is to use KV_MODE=auto in props.conf.
An app installed in one SH will have no effect on other SHs. Install the app on the ES SH for the configuration to have effect.
To change the owner of an object, click the Reassign Knowledge Objects button in the top-right corner of the All Configurations page.
Hi @richgalloway ,
Could you pls make changes as you requested.
This is the regex used in the tranforms
https://regex101.com/r/YhoZHW/1
My transforms looks like
[key_value_pair]
REGEX = (\w+)=(.*?)(?=\s\w+=|$)
FORMAT = $1::$2
props.conf
[delinea:secretserver]
category = Custom
description = Secret Server Logs
EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\|
REPORT-key_value_pair = key_value_pair
# Field renames
FIELDALIAS-cs1 = cs1 as modified_role_name
# FIELDALIAS-cs1label = cs1label as modified_role_name
FIELDALIAS-cs2 = cs2 as user_or_group_name
# FIELDALIAS-cs2label = cs2label as user_or_group_name
FIELDALIAS-cs3 = cs3 as folder_name
# FIELDALIAS-cs3label = cs3label as folder_name
FIELDALIAS-cs4 = cs4 as source_user
FIELDALIAS-fname = fname as target_item
FIELDALIAS-rt = rt as event_time
Thanks..
props.conf
[delinea:secretserver]
category = Custom
description = Secret Server Logs
EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\|
#REPORT-key_value_pair = key_value_pair
KV_MODE = auto
Hi @richgalloway ,
Now where I can edit the props in the SH, I dnt have backend access ?
You can edit props on the SH by going to Settings->Source types, but that won't do you much good. The props in question are index-time and must be installed on indexers. To make the change, create or update an app on the Cluster Manager and apply the bundle. If you don't have access then find someone who does.
Can you guide me how to make the change, create or update an app on the Cluster Manager and apply the bundle.
Thanks
My apologies for my poor Monday morning reply. In Splunk Cloud, all you do is upload your props.conf in an app and Splunk automatically installs it on the indexers.
Hi @richgalloway ,
Can we edit custom app props.conf using conf editor ?
I'm not familiar with conf editor. I recommend making Splunk Cloud config changes locally and then uploading an app. That means you always have a copy of your configs locally.
Hi @richgalloway ,
How we can get logs stored on our Secret Server Distributed Engine servers. They already have the universal forwarder installed on them. We would like these logs to be available in Splunk as well. The logs are stored in the following location: C:\Program Files\Thycotic Software \log and the file is xyz.log.
Thanks..
This probably should be a new question.
The solution is to add a monitor stanza to an inputs.conf file in the UF.
[monitor://C:\Program Files\Thycotic Software\log\xyz.log]
index = foo
sourcetype = bar
Hi @richgalloway ,
In the folder C:\Program Files\Thycotic Software\log\
There are many files like xyz.log.1,xyz.log.2,xyz.log3,....xyz.log.20.....
Can we use xyz.log.* in monitoring stanza to make it available on splunk ?
Thanks...
Yes, you can. Please read inputs.conf.spec.
Yes, it's easy to do. See my reply on 24 Oct.
How can the servers be secret if they're logged in Splunk? ![]()
Splunkbase may have add-ons that help parse the logs, but they're unlikely to be listed as "secret". Use the vendor or product name to search for relevant add-ons.
Chances are, however, that you'll need to build your own add-on. It's not hard - an add-on is just a collection of .conf files (mainly props and transforms).
The process can be made easier by exporting the problematic events to a file (use "raw" mode). Use the Add Data wizard to upload the file and experiment with settings until you find the right ones to parse the events. Then you can copy those settings into your add-on.
Upload the add-on to Splunk Cloud and see how it improves parsing. Iterate as necessary.