Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

host override not working

dkloud
Explorer
‎09-23-2020 08:56 AM

Hello,

We are using the Splunk app for checkpoint to ingest checkpoint logs via a heavy forwarder.

The host is always reported as the management server and we want to override that with the IPs of the actual firewalls.

I created the following files in the local folders on the heavy forwarder:

props.conf

[cp_log]
TRANSFORMS-host_override = host_override

transforms.conf

[host_override]
REGEX = origin=([^|]+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

Restarted Splunk but there's no change, the host value remains the same.

btool shows that the local props and transforms files are applied.

I can even see the Field transformation on the heavy forwarder UI.

I've also checked that the regex works fine and extracts the correct values.

Any ideas?

Thank you!

Labels (2)
Labels
Reply

dkloud
Explorer
‎09-23-2020 11:54 AM

Hi,

I finally made it work by editing the

/opt/splunk/etc/system/local/props.conf and transform.conf files

instead of the ones in:

/opt/splunk/etc/apps/TA-check-point-app-for-splunk/local

Regards,

Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-23-2020 01:06 PM
In indexing those files on system/local always wins. You should use
splunk btool props list —debug <your sourcetype>
To see what and where configs are valid.
Reply

dkloud
Explorer
‎09-23-2020 09:10 AM

origin=10.10.10.10 is (one of ) the firewalls IPs that we want to be present in the host field

Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-23-2020 10:28 AM
You are sure that this is the first full enterprise instance on path where those events are coming?
Reply

dkloud
Explorer
‎09-23-2020 09:08 AM

Hi @gcusello ,

Sure, here's one "anonymized" log 🙂

time=1600865570|hostname=ckpman|product=Firewall|action=Drop|ifdir=inbound|ifname=eth2-01.123|loguid={0x512344ba,0x123,0x6612300a,0x3fff1234}|origin=10.10.10.10|originsicname=CN\=editedfwname,O\=ckpman..aaaaaa|sequencenum=1|time=1600865570|version=5|dst=192.168.0.20|message_info=Address spoofing|proto=17|s_port=137|service=137|src=192.168.0.10

Regards,

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-24-2020 12:35 AM

Hi @dkloud ,

the hostname you want to set is the one after "hostname=", is it correct?

if this is your requirent, please, try this:

[host_override]
REGEX = hostname\=([^|]+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

probably the problem is that "=" is a special char so you have to escape it.

Ciao.

Giuseppe

0 Karma
Reply

dkloud
Explorer
‎09-24-2020 08:01 AM

Hi @gcusello ,

As said, in the end it worked by editing the /opt/splunk/etc/system/local props and transforms files

So the regex was correct after all, I didn't have to escape the "=" sign.

Thanks for the suggestion though!

Regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-23-2020 09:01 AM

Hi @dkloud,

could you share a sample of your logs?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...