Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IPv6 addresses parsed properly?

EricPartington
Communicator
‎10-27-2010 06:39 PM

Does splunk have any issues with parsing out IPv6 addresses from firewall events? I guess it all depends on how the transforms are written and how the fields are delimited (Cisco App written to parse IPv6).

Has anyone successfully parsed IPv6 or noticed any issues or caveats that we should be aware of?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎11-29-2010 12:54 PM

There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)

Full IPv6 address:

fe80:0000:0000:0000:0000:0000:c0a8:a64
Regex to match and return full address as $1: 

([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 drop leading zero's:

fe80:0:0:0:0:0:c0a8:a64
Regex to match and return full address as $1 (yes, its the same as the above): 
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 collapse multiple zero's:

fe80::c0a8:a64
Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64): 
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)


To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.

Full IPv6 with IPv4 quad:

fe80:0000:0000:0000:0000:0000:192.168.10.100
Regex to match: 
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})

IPv6 dropping leading zero's with IPv4 quad:

fe80:0:0:0:0:0:192.168.10.100
Regex to match (same as above): 
 ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})

IPv6 with collapsed zero's and IPv4 quad:

fe80::192.168.10.100
Regex to match: 
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3})

Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.

View solution in original post

Reply
Solved! Jump to solution

stefanlasiewski
Contributor
‎03-19-2012 05:35 PM

Note that the IETF has proposed RFC 5952 to "define a canonical textual representation format" across all systems and codes. Currently, IPv6 is difficult to parse, and the wide range of regex rules is going to leave holes in many apps. Hopefully RFC 5952 will bring some sanity to this mess.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎11-29-2010 02:59 PM

Certainly some example IPv6 addresses in the events themselves would be useful....

0 Karma
Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎11-29-2010 12:54 PM

There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)

Full IPv6 address:

fe80:0000:0000:0000:0000:0000:c0a8:a64
Regex to match and return full address as $1: 

([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 drop leading zero's:

fe80:0:0:0:0:0:c0a8:a64
Regex to match and return full address as $1 (yes, its the same as the above): 
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})

IPv6 collapse multiple zero's:

fe80::c0a8:a64
Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64): 
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)


To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.

Full IPv6 with IPv4 quad:

fe80:0000:0000:0000:0000:0000:192.168.10.100
Regex to match: 
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})

IPv6 dropping leading zero's with IPv4 quad:

fe80:0:0:0:0:0:192.168.10.100
Regex to match (same as above): 
 ([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})

IPv6 with collapsed zero's and IPv4 quad:

fe80::192.168.10.100
Regex to match: 
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3})

Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.

Reply
Solved! Jump to solution

jtrucks
Splunk Employee
Splunk Employee
‎03-18-2013 12:16 PM

How do you use these in an actual search?

--
Jesse Trucks
Minister of Magic
0 Karma
Reply
Solved! Jump to solution

stefanlasiewski
Contributor
‎12-16-2014 11:44 AM

Can I use all 6 of these patterns and combine them into a single 'type' called 'IPv6 address'?

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...