Splunk Search
Highlighted

Regex for arpwatch extractions

Path Finder

Does anyone have any field extraction regexes for arpwatch they could share? I could probably figure it out eventually but regexes are not my idea of fun.

0 Karma
Highlighted

Re: Regex for arpwatch extractions

Super Champion

You could of your data and what you want to extract.

0 Karma
Highlighted

Re: Regex for arpwatch extractions

SplunkTrust
SplunkTrust

Hi ehoward,

like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)

using above sample use this:

... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...

to get a new field arpwatchStatus containing either new station or changed station.

Use this :

... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...

to get a new field called arpwatchInterface containing in this case eth0.

You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:

... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...

field extraction can be setup to happen automatic, take a look at the docs about this.

hope this helps to get you going ...

cheers, MuS

PS: if this answer was useful, please tick the tick to mark it answered

View solution in original post

Highlighted

Re: Regex for arpwatch extractions

Path Finder

Thank you all for you answers. I really appreciate all the help. I have fought my way through regexes before but if you don't do it every day it can be frustrating to pick it all up again. The samples you have provided me are a great start. Once I get all my fields properly defined I will post what I have.

0 Karma
Highlighted

Re: Regex for arpwatch extractions

SplunkTrust
SplunkTrust

You're welcome. Please tick the tick in this case to mark this as answered - thx

0 Karma
Highlighted

Re: Regex for arpwatch extractions

Splunk Employee
Splunk Employee

given that your record looks like this:

Apr  3 23:33:25 splunkiron arpwatch: new station 192.168.1.229 80:ea:96:b8:3:e3

You should be able to use this regex:

^(?:[^\s]+\s+){3}(?<host>[^\s]+)\s+(?<process>[^:]+):\s+(?<message>[^\d]+)(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac>.*)

If you provide some log samples and the fields you'd like extracted, I can be more precise.