Hello,
This is my regex, it works well using the rex command on the search bar of my app like this:
index=hpux tag=audit "bin/rm" | rex "(?m)^(?:.)\n^PID:\s+(?P<pid>[\S]+)\n^PPID:\s+(?P<ppid>[\S]+)\n^User\/Grp:\s+\S+((?P<user>[\S]+)\/(?P<group>[\S]+))\n(?:^.\n)+^Return1:\s+(?P<status>[\S]+)\n(?:^.\n)+^\s+given path = \"(?P<command>[\S]+)\"\n(?:^.\n)+^\s+arg\s#\d+\s=\s\"(?P<file>[\S]+)\""
This is my sample event:
Time: Fri Oct 14 11:00:00 16 EDT
PID: 9368
PPID: 9361
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: "BASIC"
Permitted privileges: "BASIC"
Retained privileges: "BASIC"
Audit tag: 0: 0:(system): (boot)
TTY: (none)
Return1: 0
Arg 1 (file info):
given path = "/usr/bin/rm"
inode = 204
device = 64, 0x7
mode = 0100555
owner uid/gid = 2/2
type = regular file
Arg 2 (argument list):
arg #1 = "rm"
arg #2 = "/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old"
Other (file info):
inode = -1
--------------------------------------------------------------------
So,
pid=9368
ppid=9361
user=root
group=sys
status=0
command=/usr/bin/rm
file=/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old
But when I paste it in a Field Extraction GUI, the preview works, then I save it under my app with Global permissions but my searches won't extract any of the fields.
Am I missing something? This usually works out of the box.
I'm running Splunk 6.4.1
Thanks for any help.
Try this please as I was able to extract it with this regex and all the fields showed up after extraction:
(?s)PID:\s+(?<pid>[^\D]+).*PPID:\s+(?<ppid>[^\D]+).*User\/Grp:\s+\S+\((?<user>[^\/]+)\/(?<group>[^\)]+)\).*Return1:\s+(?<status>[^\D]+).*given\s+?path\s+?=\s+?\"(?<command>[^\s\"]+).*arg\s+?\#\d\s+?=\s+?\"(?<file>[^\s\"]+).*
If it works, please accept the answer and up vote. Thanks!
Thanks for your help, but I have decided to take another option since this type of log mutates a lot.
I decided to just keep the header part in one Field Extraction:
(?m)^(?:.)\n^PID:\s+(?P[\S]+)\n^PPID:\s+(?P[\S]+)\n^User\/Grp:\s+\S+((?P[\S]+)\/(?P[\S]+))\n
And then make several other Field Extractions for the rest of the commands:
^Return1:\s+(?P[\S]+)\n
^\s+given path = \"(?P[\S]+)\"\n
^\s+arg\s#\d+\s=\s\"(?P[\S]+)\""
Now the next problem I have is that I can have any number of "arg #N" and it would be nice to capture all them dynamically.
Any HP-UX audit log experts out there? 🙂