I would like to modify an existing dashboard to limit the Linux package that is being reported. Specifically, I want to see any packages that start with kernel. The plugin that is in use is Software Enumeration (SSH). The existing query returns too many records and is truncated. If I could limit it to see kernel packages only I think it would allow the query to complete. Does anybody have any suggestions how to pass this kernel*?
I believe I figured it out:
index=server_logs sourcetype="tenable:sc:vuln" pluginName="Software Enumeration (SSH)" dnsName = "$server$"
| rex field=pluginText "Linux system\s\:\s+(?<RPM>[^<]+)"
| rex field=RPM mode=sed "s/\s+/;/g"
| makemv RPM delim=";"
| mvexpand RPM | search RPM="kernel*"
| table dnsName RPM
| dedup dnsName RPM
Unfortunately it includes any kernel-* items not just what I am looking for (i.e. kernel-3.10.*). If I could limit it to kernel-3* and kernel-2* I think it would get what I need... Any way to do that? Thanks!
I'm hoping this is what you are looking for: (I'm a newbie).
index=server_logs sourcetype="tenable:sc:vuln" pluginName="Software Enumeration (SSH)" dnsName = "$server$"
| rex field=pluginText "Linux system\s\:\s+(?<RPM>[^<]+)"
| rex field=RPM mode=sed "s/\s+/;/g"
| makemv RPM delim=";"
| mvexpand RPM
| table dnsName RPM
| dedup dnsName RPM