- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Palo Alto Networks Add-on for Splunk does not pars...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was working on building a dashboard showing users who failed logons to the Palo Alto. That's when I notices the authentication events do NOT parse out user information log.
event-id="auth-fail"
1,2016/04/12 15:06:52,001701005661,SYSTEM,general,0,2016/04/12 15:06:52,,auth-fail,Admin_Radius_Profile,0,0,general,medium,"failed authentication for user 'DOMAIN\testing'. Reason: Invalid username/password auth profile 'Admin_Radius_Profile', vsys 'shared', server profile 'Admin_Radius', server address '1.1.2.4', From: 1.1.1.1.",2194485,0x0,0,0,0,0,,pafw
event-id="auth-success"
1,2016/04/12 15:07:14,001701005661,SYSTEM,general,0,2016/04/12 15:07:14,,auth-success,LDAP_Auth_Profile,0,0,general,informational,"authenticated for user 'validuser'. auth profile 'LDAP_Auth_Profile', vsys 'shared', server profile 'DOMAIN profile', server address 'DOMAINCONTROLLER', From: 1.1.1.1.",2194487,0x0,0,0,0,0,,pafw
For both of these events, there is a description field that is parsed out:
Description: failed authentication for user 'DOMAIN\testing'. Reason: Invalid username/password auth profile 'Admin_Radius_Profile', vsys 'shared', server profile 'Admin_Radius', server address '1.1.2.4', From: 1.1.1.1.
Description: authenticated for user 'validuser'. auth profile 'LDAP_Auth_Profile', vsys 'shared', server profile 'DOMAIN profile', server address 'DOMAINCONTROLLER', From: 1.1.1.1.
But the username does not show up in a separate field. Furthermore, the source IP (the IP after From:) is not parsed out either.
So I build search extractions that work very well:
sourcetype="pan:system" event_id="auth-fail" | rex field=description "failed authentication for user \'(?<user>[^']+)" | rex field=description "Reason: (?<Reason>[^,]+)" | rex field=description "From: (?<src1>[^,]+)" | eval src=rtrim(src1, ".") | table _time, event_id, user, src, Reason
sourcetype="pan:system" event_id="auth-success" | rex field=description "authenticated for user \'(?<user>[^']+)" | rex field=description "From: (?<src1>[^,]+)" | eval src=rtrim(src1, ".") | table _time, user, src
But I want these to automatically happen. These logs are currently going straight to the indexer (legacy issue). So I created /etc/apps/Splunk_TA_paloalto/local/props.conf and put the following syntax:
[pan:system]
EXTRACT-user = authenticated for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".")
EXTRACT-user = failed authentication for user \'(?<user>[^']+)
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
I did this on both the indexer and the Search Head.
I restarted both instances of Splunk.
But now the parsing for failed authentication only pulls the Reason, but does not pull the user or the src. And the parsing for authenticated user does not pull the user.
Any suggestions?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I figured it out.
[pan:system]
EXTRACT-user = for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".\"")
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
Now you can run the following search:
sourcetype="pan:system" event_id="auth*" | table _time, user, event_id, src, Reason
and it will tell you who has attempted to log into PA, whether or not the login succeeded, where they attempted the login from and the reason it failed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I figured it out.
[pan:system]
EXTRACT-user = for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".\"")
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
Now you can run the following search:
sourcetype="pan:system" event_id="auth*" | table _time, user, event_id, src, Reason
and it will tell you who has attempted to log into PA, whether or not the login succeeded, where they attempted the login from and the reason it failed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: I got the src IP parsed:
[pan:system]
EXTRACT-user = authenticated for user \'(?<user>[^']+)
EXTRACT-src1 = From: (?<src1>[^,]+)
EVAL-src = rtrim(src1, ".\"")
EXTRACT-user = failed authentication for user \'(?<user>[^']+)
EXTRACT-Reason = Reason: (?<Reason>[^,]+)
But I think the single quote is screwing up the parsing to get the user name.... I've tried \' and ' but neither seems to work in props.conf.
help?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
