All Apps and Add-ons

How to use Add-on for MAC lookup to search and extract MAC vendor in syslog data?

wiredmonkey
Explorer

I'm trying to use the Add-On for MAC lookup App and am having issues. Here is the raw syslog data i'm working with:

Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User) 

And a user here was very helpful with my request to create a table which this gave me this search:

rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

rex confuses me greatly. I would like to add to this table the vendor of the mac being displayed using the | maclookup

How can I do this?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi wiredmonkey and others,

the app is now available with debugging feature and error handling on non-existing MAC's.
Thanks for providing the test events, they were really useful.

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi wiredmonkey and others,

the app is now available with debugging feature and error handling on non-existing MAC's.
Thanks for providing the test events, they were really useful.

hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust

Hi wiredmonkey,

I wrote this App. Your MAC is not matching the regex used in the App. The regex uses : or - but your format is not matched.
Give me some time and I'll update it 😉

Cheers, MuS

MuS
SplunkTrust
SplunkTrust

no the regex matches this format nicely.
I can add some debugging feature to the script tomorrow if you need.

rickylee
New Member

Hi in my logs, my MAC addresses are already extracted properly to a field called EndPointMACAddress and I created a field alias called MAC_Address

excerpt of raw log
EndPointMACAddress=F4-0B-93-8F-D8-0E, ISEPolicySetName=Default, AllowedProtocolMatchedRule=LN-WLAN-PEAP

I cant seem to get the lookup to work

my search is:

eventtype=cisco-ise MESSAGE_CLASS=Passed-Authentication OR MESSAGE_CLASS=Failed-Attempt MESSAGE_TEXT="Authentication failed" | maclookup | Table User EndPointMACAddress Company OUI

thanks

0 Karma

wiredmonkey
Explorer

MuS,

Thank you for the quick response. I am now seeing requests from my splunk server to api.macvendors.com so it appears to be trying to search. Now I cannot get the vendor to show up in my table.

Does the | maclookup replace the mac address with the vendor? Does it create a new row in the table?

In the end, I want the table to show:

Time
Source (westannex1 in this example)
Mac Address
Port
Vendor

Based off this syslog data:

Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User)

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi wiredmonkey,

check the updated version http://apps.splunk.com/app/1249/ I added your MAC format to the regex.

cheers, MuS

wiredmonkey
Explorer

Awesome. Thanks MuS!!

somesoni2
SplunkTrust
SplunkTrust

Try this

your base search | maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Updated: replace command before doing maclookup to format existing MAC.
update1: updated replace command as MAX can content alphanumeric characters

your base search | eval _raw=replace(_raw,"(\[[a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2}\s*\])","\1:\2:\3:\4:\5:\6")| maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Option 2 - adding space after and before MAC.

your base search | eval _raw=replace(_raw,"\[\s*([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\s*\]","[ \1:\2:\3:\4:\5:\6 ]")| maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can use rex with mode=sed to convert your format to IEEE802 format. What is your current format

0 Karma

wiredmonkey
Explorer

Found this in the help of maclookup:

lookup the standard ieee 802 mac-48 addresses in an internet db http://api.macvendors.com/ to get Manufactor Company Name

The mac that the syslog data creates isn't this standard. How do I go about changing the mac address format?

0 Karma

wiredmonkey
Explorer

Didn't work. My only thought is that the maclookup app needs a specific format of the mac address to work. I tried to contact the creator of the Add-on but it's a bogus email address.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...