I was working on building a dashboard showing users who failed logons to the Palo Alto. That's when I notices the authentication events do NOT parse out user information log.
event-id="auth-fail"
1,2016/04/12 15:06:52,001701005661,SYSTEM,general,0,2016/04/12 15:06:52,,auth-fail,Admin_Radius_Profile,0,0,general,medium,"failed authentication for user 'DOMAIN\testing'. Reason: Invalid username/password auth profile 'Admin_Radius_Profile', vsys 'shared', server profile 'Admin_Radius', server address '1.1.2.4', From: 1.1.1.1.",2194485,0x0,0,0,0,0,,pafw
event-id="auth-success"
1,2016/04/12 15:07:14,001701005661,SYSTEM,general,0,2016/04/12 15:07:14,,auth-success,LDAP_Auth_Profile,0,0,general,informational,"authenticated for user 'validuser'. auth profile 'LDAP_Auth_Profile', vsys 'shared', server profile 'DOMAIN profile', server address 'DOMAINCONTROLLER', From: 1.1.1.1.",2194487,0x0,0,0,0,0,,pafw
For both of these events, there is a description field that is parsed out:
Description: failed authentication for user 'DOMAIN\testing'. Reason: Invalid username/password auth profile 'Admin_Radius_Profile', vsys 'shared', server profile 'Admin_Radius', server address '1.1.2.4', From: 1.1.1.1.
Description: authenticated for user 'validuser'. auth profile 'LDAP_Auth_Profile', vsys 'shared', server profile 'DOMAIN profile', server address 'DOMAINCONTROLLER', From: 1.1.1.1.
But the username does not show up in a separate field. Furthermore, the source IP (the IP after From:) is not parsed out either.
So I build search extractions that work very well:
sourcetype="pan:system" event_id="auth-fail" | rex field=description "failed authentication for user \'(?<user>[^']+)" | rex field=description "Reason: (?<Reason>[^,]+)" | rex field=description "From: (?<src1>[^,]+)" | eval src=rtrim(src1, ".") | table _time, event_id, user, src, Reason
sourcetype="pan:system" event_id="auth-success" | rex field=description "authenticated for user \'(?<user>[^']+)" | rex field=description "From: (?<src1>[^,]+)" | eval src=rtrim(src1, ".") | table _time, user, src
But I want these to automatically happen. These logs are currently going straight to the indexer (legacy issue). So I created /etc/apps/Splunk_TA_paloalto/local/props.conf and put the following syntax:
[pan:system]
EXTRACT-user = authenticated for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".")
EXTRACT-user = failed authentication for user \'(?<user>[^']+)
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
I did this on both the indexer and the Search Head.
I restarted both instances of Splunk.
But now the parsing for failed authentication only pulls the Reason, but does not pull the user or the src. And the parsing for authenticated user does not pull the user.
Any suggestions?
Thanks.
OK, I figured it out.
[pan:system]
EXTRACT-user = for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".\"")
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
Now you can run the following search:
sourcetype="pan:system" event_id="auth*" | table _time, user, event_id, src, Reason
and it will tell you who has attempted to log into PA, whether or not the login succeeded, where they attempted the login from and the reason it failed.
OK, I figured it out.
[pan:system]
EXTRACT-user = for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".\"")
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
Now you can run the following search:
sourcetype="pan:system" event_id="auth*" | table _time, user, event_id, src, Reason
and it will tell you who has attempted to log into PA, whether or not the login succeeded, where they attempted the login from and the reason it failed.
Update: I got the src IP parsed:
[pan:system]
EXTRACT-user = authenticated for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".\"")
EXTRACT-user = failed authentication for user \'(?<user>[^']+)
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
But I think the single quote is screwing up the parsing to get the user name.... I've tried \' and ' but neither seems to work in props.conf.
help?