Splunk Enterprise Security

need help with multivalue fields for chmod and find linux commands

3DGjos
Communicator

Good evening,

I'm having trouble parsing this events as multivalue fields:

Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
    PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
    /u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
    /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
    /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
-mtime +30 -exec /usr/bin/rm {} ;

from this, I need to extract the field OBJECT and OBJECT_PATH, to make it CIM compliant, I need to capture all of these lines:

/u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1

as every OBJECT_PATH value.

and every path that can appear in the event, except the last part, which will be OBJECT:

/log_137.xml
/log_10.xml
/log.xml

So far I have this field extraction for both:

command\snot\sallowed.*\s*.*\/s?bin\/find[\s\S]*?(?<object_path>\/.*)(?<object>\/.*)

it would work great if my events only contained 1 file being "searched", but they can come with more than 128 files and their paths being affected by the find and delete command. I need help to capture these 2 fields as multivalue ones. Please help.

Thanks in advance !

0 Karma

3DGjos
Communicator

Sorry I forgot to add, I need to be able to put the configuration inside my props, transforms and fields.conf files

0 Karma

3DGjos
Communicator

@niketnilay thanks for your answer, the regex I need is something like this:

\s+(?<object_path>\/.*\/)(?<object>[^\s]+)(\s?.+?)+?

where object is:

 log.xml, log_1.xml, etc

The regex I put works, but it matches the final RM command, which I don-t need to match, can you please make a regex that matches only the path and object? without the final RM command. Plus, I need the regex to match anyway if the Rm command is not there, I mean, it should match even if the -rm command is not present in the event.

Thanks in advance, I will try your solution !

0 Karma

niketn
Legend

@3DGjos, can you try the following regular expression?

 | rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0

Following is a run anywhere search:

 | makeresults
 | eval _raw=" Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
     PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
     /u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
     /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
     /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
 -mtime +30 -exec /usr/bin/rm {} ;"
 | rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0

After testing the same at search time, in order to set this up as configuration, you would need to use fields.conf, props.conf and transforms.conf: Refer to TOKENIZER documentation.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...