Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are my props and transforms not extracting fields when I search my index with events of custom apache logs with client certificates?

pde7
Explorer
‎02-23-2015 01:00 PM

I've got an instance of Apache that is processing client certificates for the remote user identity. I want to log the user activities so I created a custom log in the httpd.conf file:

LogFormat "%h %l \"%{SSL_CLIENT_S_DN}x\" %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%q\" %T" combinedssl

Specifically, I replaced the normal access_combined %u with \"%{SSL_CLIENT_S_DN}x\". Note that the certificate DN contains spaces so I included double quotes. To offset the changes in Splunk, I created a new index for just these logs, updated the local props.conf and transforms.conf files. I know the index isn't strictly required but I wanted to keep all of this separate so I could just delete/recreate the index as needed.

In props.conf:

  [access_combined_ssl]
  REPORT-access = access-extractions-ssl

In transforms.conf:

  [access-extractions-ssl]
  REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"[[qstring:user]]"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

When I attempt to view all of the events in the index, I don't see any of the fields. In fact, it attempts to create a field for each of the sub-values (CN, OU, O, C) but nothing for "user". The remaining fields like timestamp are all out of place. I've tested a couple different things to keep it as a single user field but none of them appear to work. So I figured I would try to see if anyone else has tried this...

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-15-2015 01:19 PM

YAY SPLUNKLIVE! In person help FTW.

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"(?<user>[^"]+)"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-15-2015 01:19 PM

YAY SPLUNKLIVE! In person help FTW.

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"(?<user>[^"]+)"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
Reply
Solved! Jump to solution

pde7
Explorer
‎04-15-2015 05:56 PM

Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...