Splunk Search

Change field to arbitrary value following a regex match using props.conf and transforms.com

New Member

I have two firewall devices that log their activities in different formats. I'm trying to create CIM compliant logs. I want to have a field labeled "action" and I want it to set that field to either be be a value of "drop", "reject", "accept" based on some regex. The values drop, reject, or accept is not found in the event itself. This is what I have so far and it is not creating a field name action with the desired value.

props.conf
[host::192.168.1.1]
TRANSFORMS-junos = junos_action_deny,junos_action_allow

transforms.conf
[junos_action_deny]
REGEX = RT_FLOW_SESSION_DENY
FORMAT = action::drop

[junos_action_allow]
REGEX = RT_FLOW_SESSION_CREATE
FORMAT = action::allow

Example event

Jul 26 18:17:57 192.168.1.1 1 2017-07-26T18:17:57.909-07:00 fw3 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.40 source-address="184.105.139.110" source-port="44147" destination-address="192.168.1.10" destination-port="69" service-name="junos-tftp" protocol-id="17" icmp-type="0" policy-name="default-deny" source-zone-name="dmz" destination-zone-name="clients" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.1311" encrypted="UNKNOWN" reason="policy deny"] session denied 184.105.139.110/44147->192.168.1.10/69 junos-tftp 17(0) default-deny dmz clients UNKNOWN UNKNOWN N/A(N/A) reth0.1311 UNKNOWN policy deny
0 Karma

Motivator

try this

your search | rex field=raw "RTFLOW\s+-\s+(?P<field1>\S+" | eval action=""| eval test = case(field1=="RTFLOWSESSIONDENY",coalesce(action,"Deny"),field1=="RTFLOWSESSIONCREATE",coalesce(action,"allow"))

New Member

Can your solution be used with props.conf and transforms.conf?

0 Karma

Motivator

yes like below,

props.conf

EXTRACT-field1 = "RTFLOW\s+-\s+(?P<field1>\S+)\s+["
EVAL-action = ""
EVAL-test = case(field1=="RT
FLOWSESSIONDENY",coalesce(action,"Deny"),field1=="RTFLOWSESSION_CREATE",coalesce(action,"allow"))

0 Karma