Hey all,
I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.
transforms.conf:
[fields_for_scap]
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*)
FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5
Previously attempted regexes:
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*)
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*)
props.conf:
[scap]
SHOULD_LINEMERGE=false
LINE_BREAKER = (\n\n)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORT-fields_for_scap = fields_for_scap
Example events:
Title
Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
Rule
kernel_disable_entropy_contribution_for_solid_state_drives
Result
pass
Title
Ensure /tmp Located On Separate Partition
Rule
partition_for_tmp
Ident
CCE-26435-8
Ident
DISA FSO RHEL-06-000001
Result
pass
Edit:
For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.
Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.
Try:
REGEX = Title[\r\n]\s*([^\r\n]*)[\s\S]*?Rule[\r\n]*\s*([^\r\n]*)([\r\n]*\s*Ident[\r\n]*\s*([^\r\n]*)[\s\S]*?Ident[\r\n]*\s*([^\r\n]*))?[\s\S]*?Result[\r\n]*\s*([^\r\n]*)
FORMAT = Title::$1 Rule::$2 CCE::$4 DISA::$5 Result::$6
It's fairly efficient.
Maybe just use multiple separate REPORT statements, one for each field, such that you can keep the regexes much simpler and don't have to worry about some fields not always being present.