Solved: How to drop incoming deny logs from firewall logs

hartfoml · ‎08-17-2016

I am trying to filter out all inbound deny syslog that the firewall is sending
I have a props.conf like this

[srx_log]
TRANSFORMS-srxDrop = srxDropDeny

I have transforms.conf like this

##############################
#  Drop Firewall inbound deny
###############################

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+source-zone-name\=\"untrust\")
DEST_KEY = queue
FORMAT = nullQueue

I can see that the logs are not being dopped.

How do I ..... Or where do I look to see why this is not working. Is there an internal log that tracks the transforms and props activity? is there a log file that tracks if or if not a filter is working?

hartfoml · ‎08-17-2016

I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

hartfoml · ‎08-17-2016

I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue

hartfoml · ‎08-17-2016

here is a sample of the firewall log that I am trying to drop

<14>1 2016-08-17T10:32:06.470-05:00 Astraeos RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.28 source-address="y.y.y.y" source-port="37949" destination-address="x.x.x.x" destination-port="80" service-name="junos-http" protocol-id="6" icmp-type="0" policy-name="my policyname" source-zone-name="Untrust" destination-zone-name="my zone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="UNKNOWN" reason="none"]

gcusello · ‎08-17-2016

Without a log example I can only suppose that you did some of my same old errors:

wrong sourcetype
wrong regex

Had you verified your regex in Splunk or regex101.com?
can share an example?

bye.
Giuseppe

gcusello · ‎08-17-2016

Your regex seems to be correct (backslashes before underscore aren't needed).
verify sourcetype.
bye.
Giuseppe

hartfoml · ‎08-17-2016

thanks much this helped

mattymo · ‎08-17-2016

Hey Hartfoml!

Just a few first level queries for you:

Are you using a standalone or distributed deployment architecture?

Are you monitoring a file or catching syslog?

Have you confirmed your regex using something like regex101.com? (just to be sure)

Using any other sourcetypes/props on these events?

- MattyMo

How to drop incoming deny logs from firewall logs

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)