Hi,
Splunk Add-on for Sophos is working well, however, I'm not sure if it's extracting all the fields. Using this as an example:
InsertedAt=2015-09-03 14:40:05; EventID=xxxxx; EventTime=2015-09-03 13:21:21; ActionID=101; Action=None; UserName=xxx\xxx; ScanTypeID=200; ScanType=Unknown; StatusID=300; Status=Cleanable; EventTypeID=2; EventType=Adware or PUA; EventName=xxxx; FullFilePath=C:\path\filename.exe; ComputerName=xxx; ComputerDomain=xxx; ComputerIPAddress=x.x.x.x
Looking in transforms.conf for the Splunk Add-on, the stanza reads:
[sophos_threat_file_path_and_file_name]
REGEX = FullFilePath=\"(.+?)\\([^\\]+?)\"\;
FORMAT = file_path::$1 file_name::$2
FullFilePath is then separated into file_path and file_name, however there are two issues:
1. Path extractions do not seem to work (does not appear to split into file_path, file_name, could be the missing double quotes in the event?)
2. Sophos also conducts memory scans and uses FullFilePath to state this as 'User Memory'
The same problem is happening for the event time, there's no double quote in the event:
TIME_PREFIX = EventTime="
Is there a way to test if this is actually working?
when you run search against sophos data, do you see any file_path and file_name fields extracted? how about events timestamp, does it match what's in the raw event EventTime field?