Getting Data In

How do we Parse logs of Secret Server in Splunk Cloud

AL3Z
Builder

Hi,

Are there any available applications to address the issue of incorrect parsing of secret server logs in Splunk cloud?

Thnks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We covered that yesterday.  You need a regular expression that matches the field name and value.

[mysourcetype]
SEDCMD-rm_cs2 = s/(cs2=.*?(cs|\s*$))/\2/
SEDCMD-rm_cs2Label = s/(cs2Label=.*?(cs|\s*$))/\2/

 The regexes look for either "cs2" or "cs2Label" followed by any characters up to the next field or the end of the event.  They replace it with the following field to avoid breaking that field.

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

@richgalloway ,

We can do the Event Action Extract Fields instead on creating the props/transforms right ?

 

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe you can do that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

Hi @richgalloway ,

Can we use general regex to extract all the fields having key value pair.

I have installed a custom app on another SH, where we typically install all apps to distribute the load, but it is not reflecting (the configurations are not working) on another SH in ES. What could be the reason?

In the custom app, the object owner is not showing any user after installation. How can we change it under all configurations in the UI of SH, we doesn't have backend access.

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The preferred way to parse key/value pairs is to use KV_MODE=auto in props.conf.

An app installed in one SH will have no effect on other SHs.  Install the app on the ES SH for the configuration to have effect.

To change the owner of an object, click the Reassign Knowledge Objects button in the top-right corner of the All Configurations page.

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

Hi @richgalloway ,
Could you pls make changes as you requested.

This is the regex used in the tranforms
https://regex101.com/r/YhoZHW/1

My transforms looks like 

[key_value_pair]
REGEX = (\w+)=(.*?)(?=\s\w+=|$)
FORMAT = $1::$2

props.conf

[delinea:secretserver]
category = Custom
description = Secret Server Logs
EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\|
REPORT-key_value_pair = key_value_pair

# Field renames
FIELDALIAS-cs1 = cs1 as modified_role_name
# FIELDALIAS-cs1label = cs1label as modified_role_name
FIELDALIAS-cs2 = cs2 as user_or_group_name
# FIELDALIAS-cs2label = cs2label as user_or_group_name
FIELDALIAS-cs3 = cs3 as folder_name
# FIELDALIAS-cs3label = cs3label as folder_name
FIELDALIAS-cs4 = cs4 as source_user
FIELDALIAS-fname = fname as target_item
FIELDALIAS-rt = rt as event_time

Thanks..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

props.conf

[delinea:secretserver]
category = Custom
description = Secret Server Logs
EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\|
#REPORT-key_value_pair = key_value_pair
KV_MODE = auto

 

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

Hi @richgalloway ,

Now where I can edit the props in the SH, I dnt have backend access ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can edit props on the SH by going to Settings->Source types, but that won't do you much good.  The props in question are index-time and must be installed on indexers.  To make the change, create or update an app on the Cluster Manager and apply the bundle.  If you don't have access then find someone who does.

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

@richgalloway ,

Can you guide me how to make the change, create or update an app on the Cluster Manager and apply the bundle.
Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

My apologies for my poor Monday morning reply.  In Splunk Cloud, all you do is upload your props.conf in an app and Splunk automatically installs it on the indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AL3Z
Builder

Hi @richgalloway ,

Can we edit custom app props.conf using conf editor ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not familiar with conf editor.  I recommend making Splunk Cloud config changes locally and then uploading an app.  That means you always have a copy of your configs locally.

---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

Hi @richgalloway ,

How we can get logs stored on our Secret Server Distributed Engine servers. They already have the universal forwarder installed on them. We would like these logs to be available in Splunk as well. The logs are stored in the following location: C:\Program Files\Thycotic Software \log and the file is xyz.log.

Thanks..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This probably should be a new question.

The solution is to add a monitor stanza to an inputs.conf file in the UF.

[monitor://C:\Program Files\Thycotic Software\log\xyz.log]
index = foo
sourcetype = bar
---
If this reply helps you, Karma would be appreciated.

AL3Z
Builder

Hi @richgalloway ,

In the folder C:\Program Files\Thycotic Software\log\
There are many files like xyz.log.1,xyz.log.2,xyz.log3,....xyz.log.20.....
Can we use xyz.log.* in monitoring stanza to make it available on splunk ?
Thanks...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you can.  Please read inputs.conf.spec.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Yes, it's easy to do.  See my reply on 24 Oct.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How can the servers be secret if they're logged in Splunk?  :grinning_face:

Splunkbase may have add-ons that help parse the logs, but they're unlikely to be listed as "secret".  Use the vendor or product name to search for relevant add-ons.

Chances are, however, that you'll need to build your own add-on.  It's not hard - an add-on is just a collection of .conf files (mainly props and transforms).

The process can be made easier by exporting the problematic events to a file (use "raw" mode).  Use the Add Data wizard to upload the file and experiment with settings until you find the right ones to parse the events.  Then you can copy those settings into your add-on.

Upload the add-on to Splunk Cloud and see how it improves parsing.  Iterate as necessary.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...