Splunk Enterprise

How to get Forcepoint Firewall Logs Not Parsing Properly

syazwani
Path Finder

We have onboard a firewall log from Forcepoint, and they were not parsing properly in Splunk. We try to find add-on to ingest the log but we found none. Is there any way we can do to solved this issue.

Here is example for our current fw log;

Feb 17 10:25:09 172.XX.XX0.XX0 "2022-02-17 10:25:51","3350841932","172.XX.XXX.XXX","Packet Filtering","Notification","New connection","Allow","123.XXX.XXX.XX","113.XX.XXX.XXX","DNS (UDP)","17","52129","53","4372.39","123.XXX.XXX.XXX","17X.XXX.XXX.XX","52129","53",,"129",,,,,,,,,,,,,,"DC-Node-01",,"2097953.17",,,"2022-02-17 10:25:51","Firewall","Connection_Allowed",,,"6899901665942596693",,,,

 

Please advise.

Labels (2)
0 Karma

m_pham
Splunk Employee
Splunk Employee

Adding on to what @SanjayReddy was saying on the props.conf configurations, best practice is to include the minimum configurations below.

I'm assuming your events starts off with the date format, (Feb 17 10:25:09), so here is an example of the big 6/8 configs depending what Splunk host is sending or ingesting the data; put the props on the HF/IDX for parsing. I think you're sending the logs via syslog since I notice two timestamps and I'm going to use the timestamps inside the double quotes for the event time.

props.conf

 

# Assuming your time prefix is the first set that starts with double quotes
TIME_PREFIX = ^[^"]+
MAX_TIMESTAMP_LOOKAHEAD = 20
# Assuming your hours is in 24 hour notation (%T)
TIME_FORMAT = %F %T
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
TRUNCATE = 10000
# Use the following attributes to handle better load balancing from UF.
# Please note the EVENT_BREAKER properties are applicable for Splunk Universal
# Forwarder instances only. Valid with forwarders > 6.5.0
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}

 

 

 

0 Karma

SanjayReddy
Builder

Hi @syazwani 

found this add- on on splunkbase, will this help

https://splunkbase.splunk.com/app/2966/#/details 

https://docs.splunk.com/Documentation/AddOns/latest/WebsenseCG/About 

also from log file you mentioned , what are are event bundraries , where event event starts and end 

if above addon wont work , using props.conf we can able to parse the data properly 

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...