Untangle Firewall logs not parsed properly into Ke...

hariskhan218 · ‎12-26-2017

Hi there,
I have configured Untangle firewall in below mentined fashion.

Configured syslogs port 514 to my splunk instance.
created indexer with _json source type
Below is log format for the firewall

Dec 27 12:46:28 10.10.1.80 Dec 27 12:50:05 localhost node-15: [SyslogManagerImpl] <> INFO uvm[0]: {"protocol":6,"timeStamp":"2017-12-27 12:50:05.603","SClientAddr":"/99.99.99.69","tag":"uvm[0]: ","CServerAddr":"/116.38.203.14","protocolName":"TCP","CClientAddr":"/99.99.99.69","class":"class com.untangle.uvm.node.SessionEvent","hostname":"99.99.99.69","SClientPort":49726,"serverIntf":1,"CServerPort":443,"clientIntf":2,"policyId":1,"sessionId":97828113688465,"SServerPort":443,"SServerAddr":"/216.58.207.14","CClientPort":49726}

Can someone advice on how to properly segregate key values from above logs.
I have tried using json for above source type but no success.

micahkemp · ‎12-27-2017

This may only be a partial answer, but try:

<your base search>
| rex field=tmp "(?<json>\{.+)" 
| spath input=json

Based on previous answers post.

hariskhan · ‎12-28-2017

Thanks , that worked.

richgalloway · ‎12-28-2017

@hariskhan, if your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

Untangle Firewall logs not parsed properly into Key/Value pair

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...