Splunk Enterprise Security

need help with multivalue fields for chmod and find linux commands

3DGjos
Communicator

Good evening,

I'm having trouble parsing this events as multivalue fields:

Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
    PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
    /u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
    /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
    /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
-mtime +30 -exec /usr/bin/rm {} ;

from this, I need to extract the field OBJECT and OBJECT_PATH, to make it CIM compliant, I need to capture all of these lines:

/u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert
/u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1

as every OBJECT_PATH value.

and every path that can appear in the event, except the last part, which will be OBJECT:

/log_137.xml
/log_10.xml
/log.xml

So far I have this field extraction for both:

command\snot\sallowed.*\s*.*\/s?bin\/find[\s\S]*?(?<object_path>\/.*)(?<object>\/.*)

it would work great if my events only contained 1 file being "searched", but they can come with more than 128 files and their paths being affected by the find and delete command. I need help to capture these 2 fields as multivalue ones. Please help.

Thanks in advance !

0 Karma

3DGjos
Communicator

Sorry I forgot to add, I need to be able to put the configuration inside my props, transforms and fields.conf files

0 Karma

3DGjos
Communicator

@niketnilay thanks for your answer, the regex I need is something like this:

\s+(?<object_path>\/.*\/)(?<object>[^\s]+)(\s?.+?)+?

where object is:

 log.xml, log_1.xml, etc

The regex I put works, but it matches the final RM command, which I don-t need to match, can you please make a regex that matches only the path and object? without the final RM command. Plus, I need the regex to match anyway if the Rm command is not there, I mean, it should match even if the -rm command is not present in the event.

Thanks in advance, I will try your solution !

0 Karma

niketn
Legend

@3DGjos, can you try the following regular expression?

 | rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0

Following is a run anywhere search:

 | makeresults
 | eval _raw=" Jun 18 01:05:00 : oracle : command not allowed ; TTY=unknown ;
     PWD=/export/home/oracle ; USER=grid ; COMMAND=/usr/bin/find
     /u01/app/xxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log.xml
     /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_1.xml
     /u01/app/xxxxx/diag/tnslsnr/sc02dbclient0201/listener_scan1/alert/log_10.xml
 -mtime +30 -exec /usr/bin/rm {} ;"
 | rex "\s+\/(?<object_path>[^\.]+)\.(?<object>\w+)" max_match=0

After testing the same at search time, in order to set this up as configuration, you would need to use fields.conf, props.conf and transforms.conf: Refer to TOKENIZER documentation.

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...