Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse Veeam Logs?

sanglap666
Loves-to-Learn
‎03-01-2023 07:31 AM

Hi Everyone,

I have sample logs for Virsec event. Below is a sample event.

Mar 1 06:24:05 xxx.xxx.xxx.xxx CEF:1|Virsec Security Platform|Virsec|x.x.x|41|Library Monitoring|10|EventId=VS-NA-030123-A02447| Server_Name=xxxxxx Incident_Level=ATTACK Incident_Category=FILE_INTEGRITY Incident_Type=Library Monitoring Incident_Timestamp=01 Mar 2023 02:24:05 PM GMT Process Checksum=097ce5761c89434367598b34fe32893b Action=LOG Parameters=cmdline Parent Process Name=cmd.exe Process Threat Verification Status =Safe Process Path=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Library Checksum=2cdb991bbbb60eb91c2df5f68e96e8fe Canary No=1220704979 Process Profile Name=xxxxxxxxxxxxxxxxxxxxxx Number of Libraries=1 Library Name=EdrDotNet.UnmanagedLib.dll Start Time=2023-03-01T14:23:58.661-05:00 Process Name=powershell.exe Process Profile Id=494037864 processObjectId=63f35f7a0ac3c9670c943e14 Username=xxxxxxx\xxxxxxx libraryObjectId=63f35f7a0ac3c9670c943e16 Library Path=C:\Windows\System32\EdrDotNet.UnmanagedLib.dll Event Type=New Library for Process Incident Type=Library Injection Process Pid=9632 Type=Library Monitoring Incident Description=Library Monitoring eventTime=2023-03-01T14:23:58.661-05:00 category=FILE_INTEGRITY threatCode=LibraryInjection

 

I have created a parsing for this using EXTRACT- in props.conf inside a seperate app.

 

[virsec:library]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Library Checksum
EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat
EXTRACT-LibraryName = Library Name=(?<LibraryName>.*) Start Time
EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id
EXTRACT-LibraryPath = Library Path=(?<LibraryPath>.*) Event Type
EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries
EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path

 

Not sure why the parsing is not working. Can somebody help.

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-01-2023 08:17 AM

Where did you install this app?  Did you restart the Splunk instance(s) afterwards?  The app should be installed on the Search Head, Indexers, and Heavy Forwarders (if any).

Have you tested the regular expressions on https://regex101.com to verify the work as expected?

Does the inputs.conf stanza have the right sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sanglap666
Loves-to-Learn
‎03-02-2023 07:54 AM

Hi @richgalloway ,

My splunk instance is a standalone free splunk enetreprise deployment.

I have created the virsec_app and placed all configurations inside local folder & also restarted the server.

I tried the regex all are working, as i tried field extraction from splunk gui and all worked fine, so tried through backend using props.conf but seems it doesn't works. Please find below my whole configuration.

inputs.conf
[monitor://c:\\<location for the log>]
index=virsec
sourcetype=virsec_log


props.conf
[virsec_log]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
TRANSFORMS-sourcetype=virsec_library,virsec_process

[virsec:library]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Library Checksum
EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat
EXTRACT-LibraryName = Library Name=(?<LibraryName>.*) Start Time
EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id
EXTRACT-LibraryPath = Library Path=(?<LibraryPath>.*) Event Type
EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries
EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path

[virsec:process]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
EXTRACT-processpath = Process Path=(?<ProcessPath>.*) Canary No
EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat
EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id
EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries
EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path


transforms.conf
[virsec_library]
SOURCE_KEY = _raw
REGEX = (LibraryMonitoring|LibraryInjection|LibraryHijack)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::virsec:library


[virsec_process]
SOURCE_KEY = _raw
REGEX = (ProcessMonitoring|ProcessInjection)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::virsec:process


indexes.conf
[virsec]
homePath = $SPLUNK_DB/virsec/db
coldPath = $SPLUNK_DB/virsec/colddb
thawedPath = $SPLUNK_DB/virsec/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2023 11:33 AM

I think I understand the problem.  The application of props.conf settings is a single-pass operation.  If the sourcetype changes during that pass another pass for the new sourcetype is NOT performed.

The only way (that I know of) to process the new sourcetype is by using the CLONE_SOURCETYPE setting in transforms.conf.  That will, however, keep the original copy of the data in its current form.

You should be able to extract fields using a single sourcetype.  It looks like the only difference between the two sourcetypes is the words used to end some regexes.  Consider combining them.

[virsec_log]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
MAX_TIMESTAMP_LOOKAHEAD=15
TIME_FORMAT=%b %d %H:%M:%S
EXTRACT-processpath = Process Path=(?<ProcessPath>.*) (Library|Canary)
EXTRACT-ParentProcessName = Parent Process Name=(?<ParentProcessName>.*) Process Threat
EXTRACT-ProcessName = \d\sProcess Name=(?<ProcessName>.*) Process Profile Id
EXTRACT-ProcessProfileName = Process Profile Name=(?<ProcessProfileName>.*) Number of Libraries
EXTRACT-ProcessThreatVerificationStatus = Process Threat Verification Status =(?<ProcessThreatVerificationStatus>.*) Process Path
EXTRACT-LibraryName = Library Name=(?<LibraryName>.*) Start Time
EXTRACT-LibraryPath = Library Path=(?<LibraryPath>.*) Event Type
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top