Splunk Search

Why are my props and transforms not extracting fields when I search my index with events of custom apache logs with client certificates?

Explorer

I've got an instance of Apache that is processing client certificates for the remote user identity. I want to log the user activities so I created a custom log in the httpd.conf file:

LogFormat "%h %l \"%{SSL_CLIENT_S_DN}x\" %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%q\" %T" combinedssl

Specifically, I replaced the normal access_combined %u with \"%{SSL_CLIENT_S_DN}x\". Note that the certificate DN contains spaces so I included double quotes. To offset the changes in Splunk, I created a new index for just these logs, updated the local props.conf and transforms.conf files. I know the index isn't strictly required but I wanted to keep all of this separate so I could just delete/recreate the index as needed.

In props.conf:

  [access_combined_ssl]
  REPORT-access = access-extractions-ssl

In transforms.conf:

  [access-extractions-ssl]
  REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"[[qstring:user]]"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

When I attempt to view all of the events in the index, I don't see any of the fields. In fact, it attempts to create a field for each of the sub-values (CN, OU, O, C) but nothing for "user". The remaining fields like timestamp are all out of place. I've tested a couple different things to keep it as a single user field but none of them appear to work. So I figured I would try to see if anyone else has tried this...

1 Solution

SplunkTrust
SplunkTrust

YAY SPLUNKLIVE! In person help FTW.

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"(?<user>[^"]+)"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

View solution in original post

SplunkTrust
SplunkTrust

YAY SPLUNKLIVE! In person help FTW.

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++"(?<user>[^"]+)"\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

View solution in original post

Explorer

Thanks again!

0 Karma