Splunk Enterprise

How to get Forcepoint Firewall Logs Not Parsing Properly

syazwani
Path Finder

We have onboard a firewall log from Forcepoint, and they were not parsing properly in Splunk. We try to find add-on to ingest the log but we found none. Is there any way we can do to solved this issue.

Here is example for our current fw log;

Feb 17 10:25:09 172.XX.XX0.XX0 "2022-02-17 10:25:51","3350841932","172.XX.XXX.XXX","Packet Filtering","Notification","New connection","Allow","123.XXX.XXX.XX","113.XX.XXX.XXX","DNS (UDP)","17","52129","53","4372.39","123.XXX.XXX.XXX","17X.XXX.XXX.XX","52129","53",,"129",,,,,,,,,,,,,,"DC-Node-01",,"2097953.17",,,"2022-02-17 10:25:51","Firewall","Connection_Allowed",,,"6899901665942596693",,,,

 

Please advise.

Labels (2)
0 Karma

m_pham
Splunk Employee
Splunk Employee

Adding on to what @SanjayReddy was saying on the props.conf configurations, best practice is to include the minimum configurations below.

I'm assuming your events starts off with the date format, (Feb 17 10:25:09), so here is an example of the big 6/8 configs depending what Splunk host is sending or ingesting the data; put the props on the HF/IDX for parsing. I think you're sending the logs via syslog since I notice two timestamps and I'm going to use the timestamps inside the double quotes for the event time.

props.conf

 

# Assuming your time prefix is the first set that starts with double quotes
TIME_PREFIX = ^[^"]+
MAX_TIMESTAMP_LOOKAHEAD = 20
# Assuming your hours is in 24 hour notation (%T)
TIME_FORMAT = %F %T
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
TRUNCATE = 10000
# Use the following attributes to handle better load balancing from UF.
# Please note the EVENT_BREAKER properties are applicable for Splunk Universal
# Forwarder instances only. Valid with forwarders > 6.5.0
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}

 

 

 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @syazwani 

found this add- on on splunkbase, will this help

https://splunkbase.splunk.com/app/2966/#/details 

https://docs.splunk.com/Documentation/AddOns/latest/WebsenseCG/About 

also from log file you mentioned , what are are event bundraries , where event event starts and end 

if above addon wont work , using props.conf we can able to parse the data properly 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...