Getting Data In

How to drop incoming deny logs from firewall logs

hartfoml
Motivator

I am trying to filter out all inbound deny syslog that the firewall is sending
I have a props.conf like this

[srx_log]
TRANSFORMS-srxDrop = srxDropDeny

I have transforms.conf like this

##############################
#  Drop Firewall inbound deny
###############################

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+source-zone-name\=\"untrust\")
DEST_KEY = queue
FORMAT = nullQueue

I can see that the logs are not being dopped.

How do I ..... Or where do I look to see why this is not working. Is there an internal log that tracks the transforms and props activity? is there a log file that tracks if or if not a filter is working?

0 Karma
1 Solution

hartfoml
Motivator

I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

0 Karma

hartfoml
Motivator

I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name

[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue
0 Karma

hartfoml
Motivator

here is a sample of the firewall log that I am trying to drop

<14>1 2016-08-17T10:32:06.470-05:00 Astraeos RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.28 source-address="y.y.y.y" source-port="37949" destination-address="x.x.x.x" destination-port="80" service-name="junos-http" protocol-id="6" icmp-type="0" policy-name="my policyname" source-zone-name="Untrust" destination-zone-name="my zone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="UNKNOWN" reason="none"] 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Without a log example I can only suppose that you did some of my same old errors:

  • wrong sourcetype
  • wrong regex

Had you verified your regex in Splunk or regex101.com?
can share an example?

bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Your regex seems to be correct (backslashes before underscore aren't needed).
verify sourcetype.
bye.
Giuseppe

0 Karma

hartfoml
Motivator

thanks much this helped

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey Hartfoml!

Just a few first level queries for you:

Are you using a standalone or distributed deployment architecture?

Are you monitoring a file or catching syslog?

Have you confirmed your regex using something like regex101.com? (just to be sure)

Using any other sourcetypes/props on these events?

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...