Activity Feed
- Karma Re: Splunk Diskspace Usage for Drainy. 06-05-2020 12:46 AM
- Karma Re: Whitelist for standard /var/log for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: Whitelist for standard /var/log for jbsplunk. 06-05-2020 12:46 AM
- Karma Whitelist for standard /var/log for cvajs. 06-05-2020 12:46 AM
- Karma Re: Change splunk web server from the default setting of port 8000 to port 8081 for Ayn. 06-05-2020 12:46 AM
- Karma Change splunk web server from the default setting of port 8000 to port 8081 for boris. 06-05-2020 12:46 AM
- Karma Re: Mapping syslog events with IP adresses through DHCP events for ziegfried. 06-05-2020 12:46 AM
- Karma Mapping syslog events with IP adresses through DHCP events for Stefan_van_de_R. 06-05-2020 12:46 AM
- Karma Re: splunk in virtual machine for Ayn. 06-05-2020 12:46 AM
- Karma splunk in virtual machine for kml_uvce. 06-05-2020 12:46 AM
- Karma Re: Single Value change font size for Drainy. 06-05-2020 12:46 AM
- Karma Single Value change font size for C4r7m4n. 06-05-2020 12:46 AM
- Karma Re: Mac address field extraction for MarioM. 06-05-2020 12:46 AM
- Karma Splunk Diskspace Usage for Mkbell35. 06-05-2020 12:46 AM
- Karma Re: Free License Violation - How to Fix and Prevent Recurrence for Drainy. 06-05-2020 12:46 AM
- Karma Free License Violation - How to Fix and Prevent Recurrence for martonem. 06-05-2020 12:46 AM
- Karma Re: Listen a port (162) and receive an SNMP notification for araitz. 06-05-2020 12:46 AM
- Karma Re: Securing Splunkweb (Free version) for gkanapathy. 06-05-2020 12:46 AM
- Karma Securing Splunkweb (Free version) for evosplunk. 06-05-2020 12:46 AM
- Karma Re: Changing Syslog Source type for directories for kristian_kolb. 06-05-2020 12:46 AM
Topics I've Started
No posts to display.
04-13-2012
07:40 AM
You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf
[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (? [a-zA-Z]+) (? d+.d+.d+.d+)((? d+)) -> (? d+.d+.d+.d+)((? d+))"
You'll need to customize the extracted field names to match.
... View more
04-10-2012
12:27 PM
What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.
host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (? [a-zA-Z]+) (? \d+.\d+.\d+.\d+)((? \d+)) -> (? \d+.\d+.\d+.\d+)((? \d+))" | chart sparkline count by src_address
host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (? [a-zA-Z]+) (? \d+.\d+.\d+.\d+)((? \d+)) -> (? \d+.\d+.\d+.\d+)((? \d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count
Just make the field names match what it is expecting, and the type to match, and you'll be set.
... View more
