Splunk Search

Vyatta Rule Field Extraction

mrjester
Explorer

I am consuming logs from my Vyatta firewall and I am having trouble getting the field extractor to reliably pull the rule name from the events. It looks like I need to manually build the regex query, but unfortunately I lack that skill.

The rule name is always the 7th field as identified by spaces.

[<ruleset>-<ruleNumber>-<action>]

* Ruleset could be trust-service-6, trust-untrust6, dmz-local etc in my instance. Generically, it could be any text.
* RuleNumber could be 1-9999 or default.
* Action could be A, R or D

These are examples of the form the rule names take in my environment.

[dmz-local-6-10-A]

[dmz-local-100-A]

[trust-untrust-2-D]

[untrust-trust-3-D]

[work-untrust-20-A]

[trust-untrust-default-D]

[trust-service-6-default-D]

[dmz-local-6-50-R]

[dmz-mgmt-100-R]

The following are raw sources.

  • Mar 8 09:25:21 carbon kernel: [8195160.290370] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=59399 DPT=53 LEN=49
  • Mar 8 09:25:21 carbon kernel: [8195160.293139] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46094 PROTO=UDP SPT=21394 DPT=53 LEN=97
  • Mar 8 09:25:21 carbon kernel: [8195160.386377] [trust-local-6-10-A] IN=eth0.100 OUT= MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:86:dd SRC=2001:0db8:0100:0100:0000:0000:0000:0010 DST=2001:0db8:0100:0100:0000:0000:0000:0001 LEN=89 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=63647 DPT=53 LEN=49
  • Mar 8 09:25:21 carbon kernel: [8195160.388007] [service-untrust-10-A] IN=eth1.600 OUT=eth1.999 MAC=00:30:48:9f:33:b3:00:0c:29:47:da:a1:08:00 SRC=10.0.6.5 DST=204.246.162.10 LEN=117 TOS=0x00 PREC=0x00 TTL=63 ID=46095 PROTO=UDP SPT=28420 DPT=53 LEN=97
  • Mar 8 09:25:21 carbon kernel: [8195160.472564] [trust-untrust-20-A] IN=eth0.100 OUT=eth1.999 MAC=00:30:48:9f:33:b2:54:04:a6:42:be:92:08:00 SRC=10.0.1.10 DST=204.236.229.254 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30076 DF PROTO=TCP SPT=51287 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:23 carbon kernel: [8195162.690082] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31426 DF PROTO=TCP SPT=60668 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:23 carbon kernel: [8195162.693543] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31429 DF PROTO=TCP SPT=60669 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:24 carbon kernel: [8195163.148490] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31455 DF PROTO=TCP SPT=60670 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:26 carbon kernel: [8195165.241861] [work-service-20-A] IN=eth0.300 OUT=eth1.600 MAC=00:30:48:9f:33:b2:00:13:c3:d2:f0:b2:08:00 SRC=10.0.4.120 DST=10.0.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=31483 DF PROTO=TCP SPT=60671 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0
  • Mar 8 09:25:27 carbon kernel: [8195166.278045] [untrust-local-6-10-A] IN=eth1.999 OUT= MAC=00:30:48:9f:33:b3:00:0c:29:af:6d:87:86:dd SRC=2001:0470:1f11:03f2:0000:0000:0000:0203 DST=2001:0470:1f11:03f2:0000:0000:0000:0001 LEN=82 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=33103 DPT=53 LEN=42
Tags (2)
0 Karma
1 Solution

lguinn2
Legend

Assuming that the sourcetype of your data is vyatta, put this in $SPLUNK_HOME/etc/system/local/props.conf

[vyatta]
EXTRACT-e1=\[.*?]\s\[(?<ruleName>.+?)]

This should extract the field and call it ruleName.

View solution in original post

vipiao
New Member

Try:

\w{3}\s+\d+\s+\d+:\d+:\d+\s+\w+\s+\w+:\s+[\d+.\d+]\s+[(?\w+-\w+(?:-\d+)?)-(?[\ddefault]+)-(?\w+)]\s+

0 Karma

lguinn2
Legend

Assuming that the sourcetype of your data is vyatta, put this in $SPLUNK_HOME/etc/system/local/props.conf

[vyatta]
EXTRACT-e1=\[.*?]\s\[(?<ruleName>.+?)]

This should extract the field and call it ruleName.

mrjester
Explorer

Thanks. Works perfectly so far.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...