Splunk Search

Correctly parsing into fields - Tenable SecurityCenter admin log (props and transforms)

BrianAbbott
Explorer

We need to ingest an administrative log within Tenable Security Center. Monitoring this log file is not part of the Tenable apps, this is so we can alert on behaviors such as failures to retrieve feed and plugin updates as well as other anomalous results.

This log is being monitored now and is being successfully ingested. An index and sourcetype have been defined as well. Now I need to break each line into defined fields. Here is a benign example of a raw log entry (from the .log file), note that there are six fields if counting the time stamp:

Wed, 01 May 2019 00:00:16 -0700|tsc_serviceacct|auth|INFO|1|Successful login for 'tsc_serviceacct' from 130.128.10.10 (authentication type: ldap).

Because this is going to be an index time transformation, I assumed that I need to place the props and transforms onto the indexers (clustered).

Basically, I just don't know how to properly configure the props and transforms. I mean, I know the deliminator is the | pipe. Having the advice and input form the Splunk community would be very much appreciated. Here is what I have developed so far, but I have not put into production.

props.conf

[tsc_sourcetype]
REPORT-pullpipes = tsc_adminlog_parse

transforms.conf

[tsc_adminlog_parse]
DELIMS = "|"
FIELDS = "date", "user", "repo", "severity", "module", "message"

I don't have confidence that this (at least not the props) is properly configured.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!