Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco ASA VPN logs regex?

nick405060
Motivator
‎05-07-2019 12:40 PM

Hey guys,

I am ingesting VPN logs and would like to parse them out. Does anyone have regexes to use?

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nick405060
Motivator
‎05-07-2019 12:43 PM

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nick405060
Motivator
‎05-07-2019 12:43 PM

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...