Splunk Search

how to search successful or failure connection for firewall log?

cyberportnoc
Explorer

i use this log for 24 hours but no result even in last 7 days,

however individual search inbound and outbound separately, there is search result,
is it the problem of alias name for the destination ip and source ip?

should inbound and outbound both exist can be called a successful connection?
if only inbound connection but no outbound connection, can it be a successful connection?

source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?<destinationip2>\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\d+.\d+.\d+.\d+){0,3}" | join destinationip2 [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?<destinationip2>\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2
Tags (1)
0 Karma
1 Solution

sundareshr
Legend

Try a different approach

source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" OR "Built outbound" NOT ("8.8.8.8" OR "8.8.4.4") | rex field=_raw "Outside:(?<destinationip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | mvexpand destinationip2 | stats values(sourceip2) as sourceip2 by destinationip2 

View solution in original post

0 Karma

sundareshr
Legend

Try a different approach

source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" OR "Built outbound" NOT ("8.8.8.8" OR "8.8.4.4") | rex field=_raw "Outside:(?<destinationip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | mvexpand destinationip2 | stats values(sourceip2) as sourceip2 by destinationip2 
0 Karma

cyberportnoc
Explorer

this approach search inbound and outbound using or, but not join to find specific session,

i think to use maxspan=30s and join

actually my log are like these

Aug 3 09:06:50 192.168.1.1 %ASA-6-302013: Built inbound TCP connection 429365644 for Outside:126.27.180.187/64765 (180.25.12.177/64765) to Inside:202.171.212.131/80 (230.120.220.141/80)

Aug 3 09:07:11 192.168.1.1 %ASA-6-302013: Built outbound TCP connection 429369569 for Outside:192.168.116.124/1883 (192.168.1.12/1883) to Inside:202.171.212.163/53381 (230.120.220.165/53381)

0 Karma

cyberportnoc
Explorer

today i search again, it has result now,

source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?\d+.\d+.\d+.\d+){0,3}" | join destinationip2 [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2 | stats values(sourceip2) as sourceip2, count by destinationip2 | sort by count by desc | head 10
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...