Splunk Search

BREAK_ONLY_BEFORE_DATE variable

szaboszilard
Path Finder

Hi everyone,

I have several oracle audit logs received via syslog-ng + splunk file inputs:

Jul  8 14:44:04 192.168.160.20 Audit[11206800]: LENGTH: "323" SESSIONID:[9] "359691618" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[7] "SYSTEMA" USERHOST:[22] "host.domain.xy" ACTION:[3] "208" RETURNCODE:[1] "0" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.160.21)(PORT=14039))" OS$USERID:[6] "apache" DBID:[10] "3473254904" 
Jul  8 14:47:57 192.168.160.21 Audit[27328736]: LENGTH: "156" SESSIONID: "270416291" ENTRYID: "1" ACTION: "101" RETURNCODE: "0" LOGOFF$PREAD: "0" LOGOFF$LREAD: "21" LOGOFF$LWRITE: "0" LOGOFF$DEAD: "0" SESSIONCPU: "0"

My regex

 (?i)(?<_KEY_1>\S+):(\s|\[\d+\])+"(?<_VAL_1>[^"]+)"

My props.conf

[oracle_aud]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \d\d\d\s\d\d\s\d\d:\d\d
TIME_PREFIX = ^
TIME_FORMAT = %b %d %H:%M:%S
EXTRACT-oracle_action_returncode = (?i)(?<_KEY_1>\S+):(\s|\[\d+\])+"(?<_VAL_1>[^"]+)"
LOOKUP-oracle_action = oracle_action_csv ACTION AS ACTION OUTPUTNEW ACTION_DESCRIPTION AS ACTION_DESCRIPTION
LOOKUP-oracle_returncode = oracle_returncode_csv RETURNCODE AS RETURNCODE OUTPUTNEW RETURNCODE_DESCRIPTION AS RETURNCODE_DESCRIPTION

I cant solve 2 problem.
1. Several events displayed in one line.
2. It is possible to extract source ip (192.168.160.20) and Audit fields value (11206800|27328736) with one regex expression?

I have tried this one too, but not really worked:
BREAK_ONLY_BEFORE = ^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Okt|Nov|Dec)\s

Regards Szilard

0 Karma
1 Solution

woodcock
Esteemed Legend

#1: Change to this instead:

BREAK_ONLY_BEFORE = \w{3}\s+\d+\s+\d+:\d+

#2:

EXTRACT-srcip_and_autid = (?<srcip>\d+\.\d+\.\d+\.\d+).*?Audit\[(?<Audit>\d+)

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex string will extract the source IP and Audit fields

(?P<source_ip>\d+\.\d+\.\d+\.\d+) Audit\[(?P<audit>[^\]]+)]
---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

#1: Change to this instead:

BREAK_ONLY_BEFORE = \w{3}\s+\d+\s+\d+:\d+

#2:

EXTRACT-srcip_and_autid = (?<srcip>\d+\.\d+\.\d+\.\d+).*?Audit\[(?<Audit>\d+)
0 Karma

szaboszilard
Path Finder

Extracting other fields works well, Thank you all.
i think timestamps were extracted well. I can see _time field and other time/date fields:

date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone=local

No idea why does not work...
(Replacing sourcetype to syslog in inputs.conf line merge works well.)

0 Karma

woodcock
Esteemed Legend

Do you really need to linemerge? If you don't, then changing to this should prevent mis-merged lines:

 SHOULD_LINEMERGE = false

szaboszilard
Path Finder

Option "SHOULD_LINEMERGE = false" solved it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...