Solved: How to drop incoming deny logs from firewall logs

hartfoml · ‎08-17-2016

I am trying to filter out all inbound deny syslog that the firewall is sending
I have a props.conf like this

[srx_log]
TRANSFORMS-srxDrop = srxDropDeny

I have transforms.conf like this

##############################
#  Drop Firewall inbound deny
###############################

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+source-zone-name\=\"untrust\")
DEST_KEY = queue
FORMAT = nullQueue

I can see that the logs are not being dopped.

How do I ..... Or where do I look to see why this is not working. Is there an internal log that tracks the transforms and props activity? is there a log file that tracks if or if not a filter is working?

hartfoml · ‎08-17-2016

I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

hartfoml · ‎08-17-2016

I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue

hartfoml · ‎08-17-2016

here is a sample of the firewall log that I am trying to drop

<14>1 2016-08-17T10:32:06.470-05:00 Astraeos RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.28 source-address="y.y.y.y" source-port="37949" destination-address="x.x.x.x" destination-port="80" service-name="junos-http" protocol-id="6" icmp-type="0" policy-name="my policyname" source-zone-name="Untrust" destination-zone-name="my zone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="UNKNOWN" reason="none"]

gcusello · ‎08-17-2016

Without a log example I can only suppose that you did some of my same old errors:

wrong sourcetype
wrong regex

Had you verified your regex in Splunk or regex101.com?
can share an example?

bye.
Giuseppe

gcusello · ‎08-17-2016

Your regex seems to be correct (backslashes before underscore aren't needed).
verify sourcetype.
bye.
Giuseppe

hartfoml · ‎08-17-2016

thanks much this helped

mattymo · ‎08-17-2016

Hey Hartfoml!

Just a few first level queries for you:

Are you using a standalone or distributed deployment architecture?

Are you monitoring a file or catching syslog?

Have you confirmed your regex using something like regex101.com? (just to be sure)

Using any other sourcetypes/props on these events?

- MattyMo

How to drop incoming deny logs from firewall logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation