Splunk Search

Parsing kaspersky syslog events

martaBenedetti
Path Finder

Hi community,

I need help in parsing events containing not pure json.

This is the raw event:

 

May 28 15:00:15 sd960evo ESS|2.1.0.0 {"User":"SD960EVO\\WinCash","ObjectName":"C:\\PROGRAM FILES\\NCR\\UAHELPER\\XFSTOOL.EXE","Sha256":"6E3B72786B24A85BA657D8298783402DA5237A864ADE989B7B013DEFE65BEDCF","CmdLine":"\"C:\\Program Files\\NCR\\UAHelper\\XFSTool.exe\" \"C:\\Program Files\\NCR APTRA\\Unified Agent\\WS\\bin\\FileUpload\" PIN30\u0000","ParentName":"C:\\Program Files\\NCR\\UAHelper\\UAHelperService.exe\u0000","ProductName":"","FileVersion":"0.0.0.0","EnforcedPolicy":"Deny","DefaultPolicy":"Deny","MatchedRules":"","Issuer":"","Thumbprint":"","Valid":"No","DefaultDeny":"Yes","ActionMask":"-2147483390"}\r\n

 

 

This is my props.conf 

 

[kaspersky:syslog]
TIME_PREFIX             = ^
TIME_FORMAT             = %b %d %T

EXTRACT-device          = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?<device>[^\s]*)\s+.*
EXTRACT-app             = \w+\s+\d+\s+\d+\:\d+\:\d+\s+\S+\s(?<app>[^\s]*)\s+.*

REPORT-json = report-json,report-json-kv

 

 

This is my transforms.conf file

 

[report-json]
# This will get the json payload from the logs.
REGEX = (?P<json1>{.+})

# Manually extract JSON key-value
[report-json-kv]
REGEX = \"(\w+)\":[\s]*\"([^\,\}\"]+)
FORMAT = $1::$2
MV_ADD = true

 

 

I've tried regex to extract device, app, json1 at search time with rex command and it's working fine.

Do you have any ideas?

Do you have better solution to parse this log?

 

Thank you very much

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try extracting device and app in the same regex.

EXTRACT-deviceApp             = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?<device>\S+)\s(?<app>[^\s]*)\s

I don't see the need for the report-json transform.

This transform should handle the key-value parsing.

[report-json-kv]
REGEX = "(\w+)":\s*"((?:[^"\\]|\\.)*)"
FORMAT = $1::$2
MV_ADD = true
---
If this reply helps you, Karma would be appreciated.

View solution in original post

martaBenedetti
Path Finder

Thank you very much, that worked perfectly fine.

I was able to reach the same result also using SEDCMD.

Thank you again!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try extracting device and app in the same regex.

EXTRACT-deviceApp             = \w+\s+\d+\s+\d+\:\d+\:\d+\s+(?<device>\S+)\s(?<app>[^\s]*)\s

I don't see the need for the report-json transform.

This transform should handle the key-value parsing.

[report-json-kv]
REGEX = "(\w+)":\s*"((?:[^"\\]|\\.)*)"
FORMAT = $1::$2
MV_ADD = true
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...