Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get Forcepoint Firewall Logs Not Parsing Properly

syazwani
Path Finder
‎02-16-2022 06:59 PM

We have onboard a firewall log from Forcepoint, and they were not parsing properly in Splunk. We try to find add-on to ingest the log but we found none. Is there any way we can do to solved this issue.

Here is example for our current fw log;

Feb 17 10:25:09 172.XX.XX0.XX0 "2022-02-17 10:25:51","3350841932","172.XX.XXX.XXX","Packet Filtering","Notification","New connection","Allow","123.XXX.XXX.XX","113.XX.XXX.XXX","DNS (UDP)","17","52129","53","4372.39","123.XXX.XXX.XXX","17X.XXX.XXX.XX","52129","53",,"129",,,,,,,,,,,,,,"DC-Node-01",,"2097953.17",,,"2022-02-17 10:25:51","Firewall","Connection_Allowed",,,"6899901665942596693",,,,

 

Please advise.

Labels (2)
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎02-21-2022 12:50 PM

Adding on to what @SanjayReddy was saying on the props.conf configurations, best practice is to include the minimum configurations below.

I'm assuming your events starts off with the date format, (Feb 17 10:25:09), so here is an example of the big 6/8 configs depending what Splunk host is sending or ingesting the data; put the props on the HF/IDX for parsing. I think you're sending the logs via syslog since I notice two timestamps and I'm going to use the timestamps inside the double quotes for the event time.

props.conf

 

# Assuming your time prefix is the first set that starts with double quotes
TIME_PREFIX = ^[^"]+
MAX_TIMESTAMP_LOOKAHEAD = 20
# Assuming your hours is in 24 hour notation (%T)
TIME_FORMAT = %F %T
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}
TRUNCATE = 10000
# Use the following attributes to handle better load balancing from UF.
# Please note the EVENT_BREAKER properties are applicable for Splunk Universal
# Forwarder instances only. Valid with forwarders > 6.5.0
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\r\n]+)\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}

 

 

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎02-16-2022 10:00 PM

Hi @syazwani 

found this add- on on splunkbase, will this help

https://splunkbase.splunk.com/app/2966/#/details 

https://docs.splunk.com/Documentation/AddOns/latest/WebsenseCG/About 

also from log file you mentioned , what are are event bundraries , where event event starts and end 

if above addon wont work , using props.conf we can able to parse the data properly 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...