I have two firewall devices that log their activities in different formats. I'm trying to create CIM compliant logs. I want to have a field labeled "action" and I want it to set that field to either be be a value of "drop", "reject", "accept" based on some regex. The values drop, reject, or accept is not found in the event itself. This is what I have so far and it is not creating a field name action with the desired value.
props.conf
[host::192.168.1.1]
TRANSFORMS-junos = junos_action_deny,junos_action_allow
transforms.conf
[junos_action_deny]
REGEX = RT_FLOW_SESSION_DENY
FORMAT = action::drop
[junos_action_allow]
REGEX = RT_FLOW_SESSION_CREATE
FORMAT = action::allow
Example event
Jul 26 18:17:57 192.168.1.1 1 2017-07-26T18:17:57.909-07:00 fw3 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.40 source-address="184.105.139.110" source-port="44147" destination-address="192.168.1.10" destination-port="69" service-name="junos-tftp" protocol-id="17" icmp-type="0" policy-name="default-deny" source-zone-name="dmz" destination-zone-name="clients" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.1311" encrypted="UNKNOWN" reason="policy deny"] session denied 184.105.139.110/44147->192.168.1.10/69 junos-tftp 17(0) default-deny dmz clients UNKNOWN UNKNOWN N/A(N/A) reth0.1311 UNKNOWN policy deny
try this
your search | rex field=_raw "RT_FLOW\s+-\s+(?P<field1>\S+" | eval action=""| eval test = case(field1=="RT_FLOW_SESSION_DENY",coalesce(action,"Deny"),field1=="RT_FLOW_SESSION_CREATE",coalesce(action,"allow"))
Can your solution be used with props.conf and transforms.conf?
yes like below,
props.conf
EXTRACT-field1 = "RT_FLOW\s+-\s+(?P<field1>\S+)\s+["
EVAL-action = ""
EVAL-test = case(field1=="RT_FLOW_SESSION_DENY",coalesce(action,"Deny"),field1=="RT_FLOW_SESSION_CREATE",coalesce(action,"allow"))