I'm trying to use the Add-On for MAC lookup App and am having issues. Here is the raw syslog data i'm working with:
Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User)
And a user here was very helpful with my request to create a table which this gave me this search:
rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
rex confuses me greatly. I would like to add to this table the vendor of the mac being displayed using the | maclookup
How can I do this?
Hi wiredmonkey and others,
the app is now available with debugging feature and error handling on non-existing MAC's.
Thanks for providing the test events, they were really useful.
hope this helps ...
cheers, MuS
Hi wiredmonkey and others,
the app is now available with debugging feature and error handling on non-existing MAC's.
Thanks for providing the test events, they were really useful.
hope this helps ...
cheers, MuS
Hi wiredmonkey,
I wrote this App. Your MAC is not matching the regex used in the App. The regex uses : or - but your format is not matched.
Give me some time and I'll update it 😉
Cheers, MuS
no the regex matches this format nicely.
I can add some debugging feature to the script tomorrow if you need.
Hi in my logs, my MAC addresses are already extracted properly to a field called EndPointMACAddress and I created a field alias called MAC_Address
excerpt of raw log
EndPointMACAddress=F4-0B-93-8F-D8-0E, ISEPolicySetName=Default, AllowedProtocolMatchedRule=LN-WLAN-PEAP
I cant seem to get the lookup to work
my search is:
eventtype=cisco-ise MESSAGE_CLASS=Passed-Authentication OR MESSAGE_CLASS=Failed-Attempt MESSAGE_TEXT="Authentication failed" | maclookup | Table User EndPointMACAddress Company OUI
thanks
MuS,
Thank you for the quick response. I am now seeing requests from my splunk server to api.macvendors.com so it appears to be trying to search. Now I cannot get the vendor to show up in my table.
Does the | maclookup replace the mac address with the vendor? Does it create a new row in the table?
In the end, I want the table to show:
Time
Source (westannex1 in this example)
Mac Address
Port
Vendor
Based off this syslog data:
Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User)
Hi wiredmonkey,
check the updated version http://apps.splunk.com/app/1249/ I added your MAC format to the regex.
cheers, MuS
Awesome. Thanks MuS!!
Try this
your base search | maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
Updated: replace command before doing maclookup to format existing MAC.
update1: updated replace command as MAX can content alphanumeric characters
your base search | eval _raw=replace(_raw,"(\[[a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2}\s*\])","\1:\2:\3:\4:\5:\6")| maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
Option 2 - adding space after and before MAC.
your base search | eval _raw=replace(_raw,"\[\s*([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\s*\]","[ \1:\2:\3:\4:\5:\6 ]")| maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
You can use rex with mode=sed to convert your format to IEEE802 format. What is your current format
Found this in the help of maclookup:
lookup the standard ieee 802 mac-48 addresses in an internet db http://api.macvendors.com/ to get Manufactor Company Name
The mac that the syslog data creates isn't this standard. How do I go about changing the mac address format?
Didn't work. My only thought is that the maclookup app needs a specific format of the mac address to work. I tried to contact the creator of the Add-on but it's a bogus email address.