Correctly parsing into fields - Tenable SecurityCe...

BrianAbbott · ‎05-29-2019

We need to ingest an administrative log within Tenable Security Center. Monitoring this log file is not part of the Tenable apps, this is so we can alert on behaviors such as failures to retrieve feed and plugin updates as well as other anomalous results.

This log is being monitored now and is being successfully ingested. An index and sourcetype have been defined as well. Now I need to break each line into defined fields. Here is a benign example of a raw log entry (from the .log file), note that there are six fields if counting the time stamp:

Wed, 01 May 2019 00:00:16 -0700|tsc_serviceacct|auth|INFO|1|Successful login for 'tsc_serviceacct' from 130.128.10.10 (authentication type: ldap).

Because this is going to be an index time transformation, I assumed that I need to place the props and transforms onto the indexers (clustered).

Basically, I just don't know how to properly configure the props and transforms. I mean, I know the deliminator is the | pipe. Having the advice and input form the Splunk community would be very much appreciated. Here is what I have developed so far, but I have not put into production.

props.conf

[tsc_sourcetype]
REPORT-pullpipes = tsc_adminlog_parse

transforms.conf

[tsc_adminlog_parse]
DELIMS = "|"
FIELDS = "date", "user", "repo", "severity", "module", "message"

I don't have confidence that this (at least not the props) is properly configured.

Correctly parsing into fields - Tenable SecurityCenter admin log (props and transforms)

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk