Some of my inputs are still having problems. The file is supposed to be in a comma delimited format, but the contents of some columns contain \n and commas as part of the "data".
Some events are clean:
1080071,61191,"Cisco ASA Clientless SSL VPN URL Rewriting Cross Domain Same Origin Policy Bypass","2009-12-06 13:30:58","2009-12-19 02:04:43","1970-01-01 00:00:00","2006-06-08 00:00:00","1970-01-01 00:00:00","","","","",\N,"1970-01-01 00:00:00"
Some events are messy and have commas and backslashes in the body:
18776,18776,"Apple Mac OS X AppKit Error Condition Local Account Creation","2005-08-16 23:54:36","2010-11-02 06:59:20","1970-01-01 00:00:00","2005-08-16 23:54:39","1970-01-01 00:00:00","Mac OS X 10.3 - 10.4.2 AppKit Error Condition Local Account Creation","Mac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker triggers an error condition at the login screen which allows new accounts to be created. This flaw may lead to a loss of integrity.",\N,"Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.",\N,"1970-01-01 00:00:00"
I tried a number of different settings in the props.conf, but I couldn't find any combination of settings that would work:
[osvdb_vulnerabilities]
SHOULD_LINEMERGE = TRUE
MUST_BREAK_AFTER = ,\N,"\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d"
and
SHOULD_LINEMERGE = TRUE
BREAK_ONLY_BEFORE = \d+,\d+,"[^"]+","\d+-\d+-\d+\s\d+:\d+:\d+","\d+-\d+-\d+\s\d+:\d+:\d+","\d+-\d+-\d+\s\d+:\d+:\d+","\d+-\d+-\d+\s\d+:\d+:\d+","\d+-\d+-\d+\s\d+:\d+:\d"
and
[osvdb_vulnerabilities]
SHOULD_LINEMERGE = TRUE
BREAK_ONLY_BEFORE = ^\d+,\d+,"
and
[osvdb_vulnerabilities]
SHOULD_LINEMERGE = TRUE
BREAK_ONLY_BEFORE = ^\d+,\d+,"
AUTO_LINEMERGE = FALSE
MUST_BREAK_AFTER = \s00:00:00"
It seems like the \ character is causing Splunk to break the event. Is it possible to turn that off somehow?
I'm still getting events like this however:
\
http://[target]/admin/MembersAreaManager/components/SecurityLevelManager/upload_image_security_level.asp?cid=-12312312 union select 1,Security_AdminPassword,3,4,5,6 from tblConfig","1970-01-01 00:00:00"
Eventually I added the following transforms and I'm good to go:
[vulnerabilities_index]
REGEX = ^\d+,\d+,"[^"]+"
DEST_KEY = queue
FORMAT = indexQueue
[vulnerabilities_null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
I only needed the first two fields out of the message anyway...
... View more