Splunk Search

One event marks the the end of first transaction and begining of the next

supersleepwalke
Communicator

I have VPN logs which contain some entries where the internal IP changes. I want this data in two different sessions, but the "IP change" message in both transactions:

Oct  1 16:37:22 10.20.020.002 Juniper: 1011-10-00 16:37:22 - qn - [110.01.003.200] ben(MYDOMAIN GIA)[Users] - Session timed out for ben/MYDOMAIN GIA due to inactivity (last access at 16:15:32 2012/10/01). Idle session identified during routine system scan.
Oct  1 13:15:31 10.20.020.002 Juniper: 1011-10-00 13:15:31 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Remote address for user ben/MYDOMAIN GIA changed from 110.01.003.120 to 110.01.003.200.
Oct  1 09:53:18 10.20.020.002 Juniper: 1011-10-00 09:53:18 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Agent login succeeded for ben/MYDOMAIN GIA from 110.01.003.120.

I want two transactions:

Transaction one:

Oct  1 16:37:22 10.20.020.002 Juniper: 1011-10-00 16:37:22 - qn - [110.01.003.200] ben(MYDOMAIN GIA)[Users] - Session timed out for ben/MYDOMAIN GIA due to inactivity (last access at 16:15:32 2012/10/01). Idle session identified during routine system scan.
Oct  1 13:15:31 10.20.020.002 Juniper: 1011-10-00 13:15:31 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Remote address for user ben/MYDOMAIN GIA changed from 110.01.003.120 to 110.01.003.200.

Transaction two:

Oct  1 13:15:31 10.20.020.002 Juniper: 1011-10-00 13:15:31 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Remote address for user ben/MYDOMAIN GIA changed from 110.01.003.120 to 110.01.003.200.
Oct  1 09:53:18 10.20.020.002 Juniper: 1011-10-00 09:53:18 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Agent login succeeded for ben/MYDOMAIN GIA from 110.01.003.120.

Notice that the event at 13:15:31 is in both transactions.

0 Karma
1 Solution

supersleepwalke
Communicator

Found an even cleaner solution. For the lines that you want in both transactions, duplicate them, and change the src_ip with eval. Then you can use a single transaction command:

sourcetype=juniper  ("agent login" OR "Session timed out for" OR "Logout from" OR "Max session timeout for" OR "Remote address for user") 
| append [ search sourcetype=juniper  "Remote address for user" 
           | rex "to (?<new_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\."
           | eval src_ip=new_ip ] 
| sort -_time
| transaction user,src_ip

Now the log events that describe the IP change will appear in both the ending and beginning transaction. The text (_raw) will appear the same but the extracted src_ip field will be changed for the begining transaction to trick it into matching properly.

View solution in original post

0 Karma

supersleepwalke
Communicator

Found an even cleaner solution. For the lines that you want in both transactions, duplicate them, and change the src_ip with eval. Then you can use a single transaction command:

sourcetype=juniper  ("agent login" OR "Session timed out for" OR "Logout from" OR "Max session timeout for" OR "Remote address for user") 
| append [ search sourcetype=juniper  "Remote address for user" 
           | rex "to (?<new_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\."
           | eval src_ip=new_ip ] 
| sort -_time
| transaction user,src_ip

Now the log events that describe the IP change will appear in both the ending and beginning transaction. The text (_raw) will appear the same but the extracted src_ip field will be changed for the begining transaction to trick it into matching properly.

0 Karma

supersleepwalke
Communicator

Thanks to Ayn for helping with this answer in the IRC channel.

The answer is to search for the session beginning with the "Agent login succeeded" first and separately, then get the IP change transaction, and "append" them:

sourcetype=juniper | transaction user,src_ip | search "agent login"
| append [search sourcetype=juniper 
    | transaction user endswith=("Session timed out for" OR "Logout from" 
        OR "Max session timeout for") startswith="Remote address for user"]
| sort _time 

The first search keeps only sessions with matching IP addresses, so it will end with the IP change message.

The second search (with "append") find the second half where the IP changes until the closing message of the session.

Apply sort for good measure.

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...