Splunk Search

Why are my props and transforms not extracting fields when I search my index with events of custom apache logs with client certificates?

pde7
Explorer

I've got an instance of Apache that is processing client certificates for the remote user identity. I want to log the user activities so I created a custom log in the httpd.conf file:

LogFormat "%h %l \"%{SSL_CLIENT_S_DN}x\" %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%q\" %T" combinedssl

Specifically, I replaced the normal access_combined %u with \"%{SSL_CLIENT_S_DN}x\". Note that the certificate DN contains spaces so I included double quotes. To offset the changes in Splunk, I created a new index for just these logs, updated the local props.conf and transforms.conf files. I know the index isn't strictly required but I wanted to keep all of this separate so I could just delete/recreate the index as needed.

In props.conf:

  [access_combined_ssl]
  REPORT-access = access-extractions-ssl

In transforms.conf:

  [access-extractions-ssl]
  REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"[[qstring:user]]"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

When I attempt to view all of the events in the index, I don't see any of the fields. In fact, it attempts to create a field for each of the sub-values (CN, OU, O, C) but nothing for "user". The remaining fields like timestamp are all out of place. I've tested a couple different things to keep it as a single user field but none of them appear to work. So I figured I would try to see if anyone else has tried this...

1 Solution

dwaddle
SplunkTrust
SplunkTrust

YAY SPLUNKLIVE! In person help FTW.

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"(?<user>[^"]+)"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

YAY SPLUNKLIVE! In person help FTW.

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"(?<user>[^"]+)"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

pde7
Explorer

Thanks again!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...