Solved: Cisco ASA VPN logs regex?

nick405060 · ‎05-07-2019

Hey guys,

I am ingesting VPN logs and would like to parse them out. Does anyone have regexes to use?

nick405060 · ‎05-07-2019

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype

View solution in original post

nick405060 · ‎05-07-2019

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype

Cisco ASA VPN logs regex?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?