Being a newbie with splunk, I don't get much further than installing splunk and having a listener set up to which the SSG sends it syslog data.
I need to make traffic reports out of the traffic logs from certain firewall policies.
The output should be a table with following colums:
Source IP | total recv'd data | total sent data | total of recv'd+sent
192.168.1.x | 400 MB | 100 MB | 500 MB
192.168.1.y | 150 MB | 1 GB | 1,15 GB
...
The input is, as said, ScreenOS syslog data in the form of:
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:51" duration=5 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=134 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=4090 dst_port=80 src-xlated ip=81.83.5.18 port=3303 dst-xlated ip=193.203.32.20 port=80 session_id=15683 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:52" duration=4 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=198 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=3789 dst_port=80 src-xlated ip=81.83.5.18 port=4243 dst-xlated ip=193.203.32.20 port=80 session_id=15984 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:25" duration=31 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=11610 rcvd=318968 src=192.168.163.26 dst=193.203.32.39 src_port=3293 dst_port=80 src-xlated ip=81.83.5.18 port=2988 dst-xlated ip=193.203.32.39 port=80 session_id=15342 reason=Close - TCP RST
gw0-NLA
Does somebody has experience with this and could give me some hints?
thanks!
Note the issue with your raw data, "src-xlated ip" and "dst-xlated ip" are being extracted as "ip" because of the space. I used rex to pull them together. It would be better to change the log format. The next step would be to take this regex and add it to an extract and transform.
assuming sent/received is in bytes, here is a good start for you:
NetScreen | rex field=_raw "src-xlated ip=(?<src_ip>[\d+\.]+)" | rename src_ip AS "Source IP" | stats sum(sent) AS sentBytes sum(rcvd) AS rcvdBytes sum(eval(sent+rcvd)) AS total by "Source IP"