FILTER OUT FIREWALL

jfeitosa · ‎03-30-2016

Hello guys!

I need help to create "filter out" in Palo Alto firewall events.
I want to discard the DNS condulta events, whose field is dest = 8.8.8.8.

I created entries in props.conf and transform.conf

props.conf

#### ########## FILTER OUT

[source :: udp: 5514]
TRANSFORMS-null = setnull4
transform.conf

FILTER OUT FIREWALL

[setnull4]
REGEX = ^ (?: [^ \ N] *) {8} (P [^,] +?)
DEST_KEY = queue
FORMAT = nullQueue

I also tried REGEX = (. *) 8.8.8.8, but it did not work.

Can anyone help me how to create a "filter out" to discard these events?

Thank you.

jfeitosa · ‎06-20-2016

I solve that.

props.conf
[source::udp:514]
TRANSFORMS-nullQ=nullFilter

transform.conf

FILTER OUT FIREWALL

[nullFilter]
REGEX = (%ASA-\d+-.(Built|Teardown))
DEST_KEY = queue
FORMAT = nullQueue

Tks,

woodcock · ‎04-02-2016

If you are trying to throw away any events that have a field dest with a value of 8.8.8.8 then try this:

props.conf

[source::udp:5514]
TRANSFORMS-null = setnull4

transforms.conf

[setnull4]
SOURCE_KEY = dest
REGEX = 8\.8\.8\.8
DEST_KEY = queue
FORMAT = nullQueue

NOTE: Be sure that there are no spaces in the stanza headers (around your colons).

jfeitosa · ‎04-08-2016

Hi woodcock,

It does not work this REGEX. The term SOURCE KEY = dest was not accepted appears error inconsistency. I tried without the term SOURCE_KEY = dest, still did not work.

Thanks in advance.

woodcock · ‎04-09-2016

If it really will not take SOURCE_KEY = dest then remove just than line and try this REGEX instead (to match anywhere in _raw)

REGEX = (^|\D)8\.8\.8\.8(\D|$)

How to "filter out" to discard specific events Palo Alto firewall?

#### ########## FILTER OUT

FILTER OUT FIREWALL

FILTER OUT FIREWALL

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?