Can someone guide me in the right direction. I have an issue with src_ip extraction using the nix splunk TA. I see that the [syslog] stanza in props.conf contains the config below, but I'm unsure how src_ip is actually being extracted using the props and transforms code blocks below.
Futhermore, I'm not 100% certain what transforms is actually doing. I was trying to narrow down where the issue might be with the extraction, but having some difficultly figuring that out. The regex seems very basic.
search: `index=ap_os_nix sourcetype=syslog` sourcetype = `syslog` source = `/var/log/auth`
This payload below parses incorrectly and also included the port number. Mar 16 11:36:43 apnmls02 sshd: Received disconnect from 172.16.5.49 port 51798:11: Session closed [preauth] `src_ip="172.16.5.49 port 51798:11"`
The payload below has parses the source IP correctly. Mar 16 11:42:23 apcribl02 sshd: Connection closed by 172.16.5.49 port 56452 `src_ip = 172.16.5.49`
### Props for syslog sourcetype
``` ###### Syslog ###### [source::....syslog] sourcetype = syslog [syslog] EVENT_BREAKER_ENABLE = true ## Event extractions by type REPORT-0authentication_for_syslog = remote_login_failure, bad-su2, passwd-auth-failure, failed_login1, bad-su, failed-su, ssh-login-failed, ssh-invalid-user, ssh-login-accepted, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried, sshd_login_restricted, pam_unix_authentication_success, pam_unix_authentication_failure, sudo_cannot_identify, ksu_authentication, ksu_authorization, su_simple, su_authentication, su_successful, wksh_authentication, login_authentication EVAL-action = if(app="su" AND isnull(action),"success",action) REPORT-account_management_for_syslog = useradd, userdel, userdel-grp, groupdel, groupadd, groupadd-suse REPORT-password_change_for_syslog = pam-passwd-ok, passwd-change-fail REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf REPORT-routing = iptables EVAL-signature = if(isnotnull(inbound_interface),"firewall",null()) REPORT-signature_for_syslog_timesync = signature_for_nix_timesync REPORT-dest_for_syslog = host_as_dest LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action REPORT-src_for_syslog = src_dns_as_src, src_ip_as_src FIELDALIAS-dvc = dest as dvc EVAL-vendor_product = if(isnull(vendor_product), "nix", vendor_product) ```
### Transforms line referenced in Props
``` [src_ip_as_src] SOURCE_KEY = src_ip REGEX = (.+) FORMAT = src::"$1" ```
... View more