Splunk Search

How to Extract Fields from McAfee Vulnerability Manager

mzorzi
Splunk Employee
Splunk Employee

The events collected from the MVM have multiline fields, I would like to extract vendor_description,vendor_observation and vendor_recommendation.

What is the best props.conf configuration?

Apr 06 2015 08:22:41
TicketID=11674520
category_id=29
vendor_category=Security Policy/Options
cve=CVE-MAP-NOMATCH
msft=
mskb=
dest_ip=196.68.23.14
dest_name=SRVUDG987
dest_host=SRVUDG987.VGR.ATTGR.NET
signature=User Rights Restore Files And Directories Policy
vendor_severity=0
vendor_description=The User Rights "Restore files and directories" policy does not match the recommended compliance value.
vendor_observation=The User Rights "Restore files and directories" policy specifies which accounts may restore files and directories from a backup.

        NOTE: This check requires at least Foundstone version 4.0.6.
vendor_recommendation=Foundstone recommends the User Rights "Restore files and directories" be set via either a group policy INF file or by manually navigating to:

        Control Panel - Administrative Tools - Local Security Policy - Local Policies - User Rights Assignment

        Set the "Restore files and directories" policy to Administrators
0 Karma

jeffland
Champion

Why not this straightforward rex:

vendor_description=(?<description>.*)vendor_observation=(?<observation>.*)vendor_recommendation=(?<recommendation>.*)

When I use it with the s modifier (so that . includes newline) on your sample, I get exactly the entire text until the next vendor_ (with the first two entries at least, the last one just captures until the end of the event I guess).

0 Karma

mzorzi
Splunk Employee
Splunk Employee

have you tried it from props.conf? I have two different results between rex search command and props.conf

0 Karma

jeffland
Champion

Unfortunately this is only rex-tested, sorry. I am not yet proficient with that sort of low-level setup. Why don't you try the expression in your props.conf, the modifier should work by prepending (?m)^ to your expression.

0 Karma

mzorzi
Splunk Employee
Splunk Employee

This works for me, but it is a bit random. Maybe you have better suggestion?

[vmdata]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
KV_MODE = none
EXTRACT-vall = (?mis)vendor_description=(?<vendor_descrition>.*)[\r\n]+vendor_observation=(?<vendor_observation>.*(?!vendor))[\r\n]+vendor_recommendation=(?<vendor_recommendation>.*)[\r\n]+
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...