Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cisco ASA VPN logs regex?

nick405060
Motivator
‎05-07-2019 12:40 PM

Hey guys,

I am ingesting VPN logs and would like to parse them out. Does anyone have regexes to use?

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nick405060
Motivator
‎05-07-2019 12:43 PM

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nick405060
Motivator
‎05-07-2019 12:43 PM

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...