Solved: How to get complete event information in to the co...

Hemnaath · ‎12-18-2017

HI All, For past one week, I am trying to get an answer for my problem, but haven't got a good fix for the issue still. We had got a request from a user to include the entire command line information to the filed called Command in the interesting field, currently it only parses until there's a space.

search query: index=unix sourcetype=linux_secure COMMAND

For example, this log:
Dec 18 02:38:36 test02 sudo: solarwinds : TTY=pts/1 ; PWD=/opt/solarwinds ; USER=root ; COMMAND=/opt/solarwinds/utilities/check_file.sh -e -f /var/log/audit/audit.log

"Problem"- COMMAND is currently parsed as "/opt/solarwinds/utilities/check_file.sh"

"Exact Requirement"- Want it parses as "/opt/solarwinds/utilities/check_file.sh -e -f /var/log/audit/audit.log"

Got a regex from the answers.com but its working when we use the regex while searching the events in the search head console.

search query details :
index=unix sourcetype=linux_secure COMMAND | rex "sudo:.*?COMMAND=(?[^;]+)(;|$)"

But same is not working when added in the props.conf and pushed the changes to the search head cluster member and indexer instances , where the splunk ingest the data from the remote node.

Inputs.conf details:
Inputs.conf for monitoring stanza

[monitor:///var/log]
whitelist=(.log|log$|messages|.out)
blacklist=(lastlog)
index = unix
disabled = 0

Props.conf Details:

[linux_secure]

EXTRACT-command = "sudo:.*?COMMAND=(?[^;]+)(;|$)"

Transforms.conf details:

Kindly guide me how to parse entire command line information in the command field.

thanks in advance.

micahkemp · ‎12-18-2017

Try this regex:

sudo.*COMMAND=(?<command>[^;]+)( ;|$)

View solution in original post

micahkemp · ‎12-18-2017

Try this regex:

sudo.*COMMAND=(?<command>[^;]+)( ;|$)

Hemnaath · ‎12-18-2017

Hi Micahkemp, thanks for your effort on this, yes I had tested the regex by executing it on regex101.com and it worked fine, but so can I push the same regex in my props.conf and deploy to the search head cluster master and the indexer.

props.conf :

 [linux_secure]


 EXTRACT-command = sudo.*COMMAND=(?<command>[^;]+)( ;|$)

Kindly guide me on this please.

Hemnaath · ‎12-19-2017

Hi micahkemp, can you please guide me on the above comment.

thanks in advance.

micahkemp · ‎12-19-2017

It should work in your props.conf, and I don't see any glaring issue in what you have above.

As for pushing it out, it doesn't need to go to your indexers, and I'm not fluent enough in search head cluster to speak about how that might need to be done.

micahkemp · ‎12-28-2017

Were you able to get this working in props.conf?

Hemnaath · ‎01-02-2018

Hi Micahkemp, Good Morning and Wish you a Happy New year. Hey it worked but I had taken this regex ""sudo:.*?COMMAND=(?[^;]+)(;|$)"" and pushed the below stanza details in props.conf along with other stanza details and it worked fine. Thanks for guiding me on this.

Props.conf
[linux_secure]

EXTRACT-command = "sudo:.*?COMMAND=(?[^;]+)(;|$)"

micahkemp · ‎01-02-2018

Glad to hear it worked. Do you mind accepting the answer so that this question doesn't still appear to be open?

Hemnaath · ‎01-02-2018

Hi Micahkemp, thanks for guiding me on this issue.

How to get complete event information in to the command field ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life