Splunk Search

Search-Time Field Extraction - Not Working

vragosta
Path Finder

Hello all,

We are collecting Cisco firewall logs into Splunk and have installed the "Splunk for Cisco Firewalls" application. There is a particular event id that is generated due to our Websense integration, ASA-5-304001 or PIX-5-304001, which indicates a user has visited a website. To enable better reporting on this type of log, I wanted to create a custom sourcetype of cisco_websense and parse out some of the data. These are the modifications I have made to transforms.conf and props.conf:

Transforms.conf modifications

[force_sourcetype_for_cisco_websense]
DEST_KEY = MetaData:Sourcetype
REGEX = %(ASA|PIX)-5-304001
FORMAT = sourcetype::cisco_websense

[cisco_websense-ip_addresses]
REGEX = \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
FORMAT = host::$1 src_ip::$2 dst_ip::$3

[cisco_websense-URL]
REGEX = (/|http:).*
FORMAT = url::$1

Props.conf modifications

TRANSFORMS-force-sourcetype_for_cisco_devices = force_sourcetype_for_cisco_websense, force_sourcetype_for_cisco_pix, force_sourcetype_for_cisco_asa, force_sourcetype_for_cisco_fwsm, force_sourcetype_for_cisco_acs, force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_catchall

[cisco_websense]
REPORT-websense = ciscosyslog-eventinfo, cisco_websense-ip_addresses, cisco_websense-URL
lookup_table = err_code_lookup error_code
LOOKUP-vendor_info_for_cisco_firewall = cisco_firewall_vendor_info_lookup sourcetype OUTPUT vendor,product

For some reason I cannot figure out, after restarting Splunk the custom sourcetype cisco_websense is not being recognized. Any help with this issue is greatly appreciated.

Thank you.

Tags (1)
0 Karma

vragosta
Path Finder

I decided it was best to create transforms for the fields I wanted to extract instead of creating a completely different sourcetype. It appears to be working as I wanted it too.

Thanks!

0 Karma

vragosta
Path Finder

To illustrate this more clearly, here is the sourcetype definition for cisco_pix:

[force_sourcetype_for_cisco_pix]
DEST_KEY = MetaData:Sourcetype
REGEX = %PIX-\d+-\d+
FORMAT = sourcetype::cisco_pix

Here is the sourcetype definition for cisco_websense:

[force_sourcetype_for_cisco_websense]
DEST_KEY = MetaData:Sourcetype
REGEX = %(ASA|PIX)-5-304001
FORMAT = sourcetype::cisco_websense

Thanks!

0 Karma

vragosta
Path Finder

Okay...I think I know what is happening. I am trying to define a sourcetype that is a more specific case, cisco_websense, of a sourcetype that is already defined (cisco_asa and cisco_pix).

How does Splunk handle the case where it matches multiple sourcetype definitions? I would think there would be a defined mechanism for determining precedence of the sourcetype definitions.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...