Splunk Search

Vyatta Rule Field Extraction

mrjester
Explorer

I am consuming logs from my Vyatta firewall and I am having trouble getting the field extractor to reliably pull the rule name from the events. It looks like I need to manually build the regex query, but unfortunately I lack that skill.

The rule name is always the 7th field as identified by spaces.

[<ruleset>-<ruleNumber>-<action>]

* Ruleset could be trust-service-6, trust-untrust6, dmz-local etc in my instance. Generically, it could be any text.
* RuleNumber could be 1-9999 or default.
* Action could be A, R or D

These are examples of the form the rule names take in my environment.

[dmz-local-6-10-A]

[dmz-local-100-A]

[trust-untrust-2-D]

[untrust-trust-3-D]

[work-untrust-20-A]

[trust-untrust-default-D]

[trust-service-6-default-D]

[dmz-local-6-50-R]

[dmz-mgmt-100-R]

The following are raw sources.

  • Mar 8 09:25:21 carbon kernel: [8195160.290370] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=59399 DPT=53 LEN=49
  • Mar 8 09:25:21 carbon kernel: [8195160.293139] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46094 PROTO=UDP SPT=21394 DPT=53 LEN=97
  • Mar 8 09:25:21 carbon kernel: [8195160.386377] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=63647 DPT=53 LEN=49
  • Mar 8 09:25:21 carbon kernel: [8195160.388007] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46095 PROTO=UDP SPT=28420 DPT=53 LEN=97
  • Mar 8 09:25:21 carbon kernel: [8195160.472564] [trust-untrust-20-A] IN=eth0.100 OUT=eth1.999 MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:08:00 SRC=10.0.1.10 DST=204.236.229.254 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30076 DF PROTO=TCP SPT=51287 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:23 carbon kernel: [8195162.690082] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31426 DF PROTO=TCP SPT=60668 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:23 carbon kernel: [8195162.693543] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31429 DF PROTO=TCP SPT=60669 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:24 carbon kernel: [8195163.148490] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31455 DF PROTO=TCP SPT=60670 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:26 carbon kernel: [8195165.241861] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31483 DF PROTO=TCP SPT=60671 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:27 carbon kernel: [8195166.278045] [untrust-local-6-10-A] IN=eth1.999 OUT= MAC=00:30:48:9f:33:b3:00:0c:29:af:6d:87:86:dd SRC=2001:0470:1f11:03f2:0000:0000:0000:0203 DST=2001:0470:1f11:03f2:0000:0000:0000:0001 LEN=82 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=33103 DPT=53 LEN=42
Tags (2)
0 Karma
1 Solution

lguinn2
Legend

Assuming that the sourcetype of your data is vyatta, put this in $SPLUNK_HOME/etc/system/local/props.conf

[vyatta]
EXTRACT-e1=\[.*?]\s\[(?<ruleName>.+?)]

This should extract the field and call it ruleName.

View solution in original post

vipiao
New Member

Try:

\w{3}\s+\d+\s+\d+:\d+:\d+\s+\w+\s+\w+:\s+[\d+.\d+]\s+[(?\w+-\w+(?:-\d+)?)-(?[\ddefault]+)-(?\w+)]\s+

0 Karma

lguinn2
Legend

Assuming that the sourcetype of your data is vyatta, put this in $SPLUNK_HOME/etc/system/local/props.conf

[vyatta]
EXTRACT-e1=\[.*?]\s\[(?<ruleName>.+?)]

This should extract the field and call it ruleName.

mrjester
Explorer

Thanks. Works perfectly so far.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...