Splunk Enterprise Security
Highlighted

need help with multivalue fields for chmod and find linux commands

Communicator

Good evening,

I'm having trouble parsing this events as multivalue fields:

Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
    PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
    /u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
    /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
    /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
-mtime +30 -exec /usr/bin/rm {} ;

from this, I need to extract the field OBJECT and OBJECT_PATH, to make it CIM compliant, I need to capture all of these lines:

/u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listenerscan1/alert
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener
scan1/alert/log_1

as every OBJECT_PATH value.

and every path that can appear in the event, except the last part, which will be OBJECT:

/log_137.xml
/log_10.xml
/log.xml

So far I have this field extraction for both:

command\snot\sallowed.*\s*.*\/s?bin\/find[\s\S]*?(?<object_path>\/.*)(?<object>\/.*)

it would work great if my events only contained 1 file being "searched", but they can come with more than 128 files and their paths being affected by the find and delete command. I need help to capture these 2 fields as multivalue ones. Please help.

Thanks in advance !

0 Karma
Highlighted

Re: need help with multivalue fields for chmod and find linux commands

Communicator

Sorry I forgot to add, I need to be able to put the configuration inside my props, transforms and fields.conf files

0 Karma
Highlighted

Re: need help with multivalue fields for chmod and find linux commands

Legend

@3DGjos, can you try the following regular expression?

 | rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0

Following is a run anywhere search:

 | makeresults
 | eval _raw=" Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
     PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
     /u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
     /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
     /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
 -mtime +30 -exec /usr/bin/rm {} ;"
 | rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0

After testing the same at search time, in order to set this up as configuration, you would need to use fields.conf, props.conf and transforms.conf: Refer to TOKENIZER documentation.

Please try out and confirm!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: need help with multivalue fields for chmod and find linux commands

Communicator

@niketnilay thanks for your answer, the regex I need is something like this:

\s+(?<object_path>\/.*\/)(?<object>[^\s]+)(\s?.+?)+?

where object is:

 log.xml, log_1.xml, etc

The regex I put works, but it matches the final RM command, which I don-t need to match, can you please make a regex that matches only the path and object? without the final RM command. Plus, I need the regex to match anyway if the Rm command is not there, I mean, it should match even if the -rm command is not present in the event.

Thanks in advance, I will try your solution !

0 Karma