To cut a long story short, i'm looking to extract a CVE number for my Vulnerabilities Data Model for ES.
An example of the field I want to extract from is:
plugin_name: Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)
I want to create a field called 'cve' which extracts CVE-2020-0674.
If I rex this is a search, it is fine
| rex field=_raw "\((?<cve>CVE[\w-]+)"
If I add this as an extracted field by editing props.conf (as shown below) then nothing gets extracted. Does anyone know why?
[source:type]
EXTRACT-cve = (?<cve>CVE[\w-]+)
Dont forget the double ::
when defining props stanzas that apply to a 'source':
[source::/some/source]
EXTRACT-cve = (?<cve>CVE[\w-]+)
{note: edited for clairty}
Can you give us the entire stanza from props.conf?
[nessus:scan]
EXTRACT-cve = \((?<cve>CVE[\w-]+)
I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.
Also - just picking up on this sentance:
I've created a props.conf in a 'local' folder in the TA so thats all thats in that file.
Is that TA (App) shared globally on the searchhead?
In order for your extraction to be available in another app, you need to make sure that it is shared globally.
If you had a TA, which is not 'visible' in your apps list on the SH, unless global, you will never be in that apps context so your extractions wont be visible from say 'search and reporting' or any other app.
Ah ok, confusion with "source" vs "sourcetype"
If your props stanza is a source you must use
[source::/var/log/mylog]
if it's a sourcetype you just use the sourcetype name which in your case is nessus:scan, so
[nessus:scan]
is correct.
Out of interest, how are you collecting logs from nessus - are you using an app to collect data from Security Centre via the API? (if so which one)
Sorry - hit submit too early...
The reason I ask, is that i suspect the logs are being imported as json, which means that raw event may look different to what you see rendered as events in the UI
Could you try (?<cve>CVE[^)]+)
as the regex instead?
I see you have not added the exact string in the props. Can you just copy the regex string within the "" and then try?
I mean try adding: \((?<cve>CVE[\w-]+)
Hi, thanks for such a quick response. No change unfortunately. I've added the :: mentioned here as well (which I've not seen used before).
Very strange, I've never had issues with this before. Maybe something it doesn't like in the regex?