Does anyone have any field extraction regexes for arpwatch they could share? I could probably figure it out eventually but regexes are not my idea of fun.
Hi ehoward,
like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
using above sample use this:
... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...
to get a new field arpwatchStatus
containing either new station
or changed station
.
Use this :
... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...
to get a new field called arpwatchInterface
containing in this case eth0
.
You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:
... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
field extraction can be setup to happen automatic, take a look at the docs about this.
hope this helps to get you going ...
cheers, MuS
PS: if this answer was useful, please tick the tick to mark it answered
given that your record looks like this:
Apr 3 23:33:25 splunkiron arpwatch: new station 192.168.1.229 80:ea:96:b8:3:e3
You should be able to use this regex:
^(?:[^\s]+\s+){3}(?<host>[^\s]+)\s+(?<process>[^:]+):\s+(?<message>[^\d]+)(?<dest>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<mac>.*)
If you provide some log samples and the fields you'd like extracted, I can be more precise.
Hi ehoward,
like lukejadamec said sample data are most useful and your needs as well. Nevertheless since arpwatch is nothing else then syslog output and therefore pretty generic you can do some regex-Fu based on this log example:
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6 (0:17:9a:a:f6:44)
using above sample use this:
... | rex field="_raw" "\:\s(?<arpwatchStatus>.+station)" | ...
to get a new field arpwatchStatus
containing either new station
or changed station
.
Use this :
... | rex field="_raw" "\s(?<arpwatchInterface>[a-z]+[0-9])" | ...
to get a new field called arpwatchInterface
containing in this case eth0
.
You just learned search time field extraction, so you should know what the field names for the next examples will be and what they will contain:
... | rex field="_raw" "new\sstation\s(?<arpwatchNewIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "new\sstation\s(\d+\.){3}\d+\s(?<arpwatchNewMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
... | rex field="_raw" "changed\sstation\s(?<arpwatchChangedIP>(\d+\.){3}\d+)\s" | ...
... | rex field="_raw" "changed\sstation\s(\d+\.){3}\d+\s(?<arpwatchChangedMAC>([0-9a-f]{1,2}[\.:-]){5}([0-9a-f]{1,2}))" | ...
field extraction can be setup to happen automatic, take a look at the docs about this.
hope this helps to get you going ...
cheers, MuS
PS: if this answer was useful, please tick the tick to mark it answered
You're welcome. Please tick the tick in this case to mark this as answered - thx
Thank you all for you answers. I really appreciate all the help. I have fought my way through regexes before but if you don't do it every day it can be frustrating to pick it all up again. The samples you have provided me are a great start. Once I get all my fields properly defined I will post what I have.
You could of your data and what you want to extract.