Splunk Search

Cisco ASA VPN logs regex?

nick405060
Motivator

Hey guys,

I am ingesting VPN logs and would like to parse them out. Does anyone have regexes to use?

Tags (5)
0 Karma
1 Solution

nick405060
Motivator

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype

View solution in original post

0 Karma

nick405060
Motivator

Here you go:

index=asa "USERSEARCH"|

eval comment="extraction_common" | rex field=_raw "^(?<month>\S+?)\s+?(?<day>\S+?) (?<time>\S+?) (?<ip>\S+?) %(?<asa>[^:]+?): (?<unregexed>[\s\S]*)" | 

eval comment="extraction_group" | rex field=unregexed "(?<category>[^<=]+?)( = | <)(?<group>[^>,]+?)(>|,) Usern?a?m?e? (<|= )(?<user>[^>,]+?)(,|>) IP (<|= )(?<ip>[^>,]+?)(,|>) (?<message>[\s\S]*)" |

eval comment="extraction_tunnelgroup" | rex field=unregexed "(?<category>TunnelGroup) <(?<group>[^>]+?)> GroupPolicy <[^>]+?> User <(?<user>[^>]+?)> IP <(?<ip>[^>]+?)> (?<message>[\s\S]*)" |
eval comment="extraction_teardown" | rex field=unregexed "(?<category>Teardown (UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+)\(?L?O?C?A?L?.?(?<from_user>[^\)]*?)\)? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+)\(?L?O?C?A?L?.?(?<to_user>[^\)]*?)\)? duration (?<duration>\S+?) bytes (?<bytes>\d+) ?(?<message>[^\(]*)\(?(?<user>[^\)]*)\)?" |

eval comment="extraction_built" | rex field=unregexed "(?<category>Built (?<direction>inbound|outbound) (?<type>UDP|TCP) connection) (?<connection>\d+?) for (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?) \((?<from_ip2>[^/]+?)/(?<from_port2>\d+?)\)(\(LOCAL.(?<from_user>[^\)]+?)\))? to (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) \((?<to_ip2>[^/]+?)/(?<to_port2>\d+?)\) ?(\(L?O?C?A?L?\\\?(?<to_user>[^\)]+?)\))?" |
eval comment="extraction_deny" | rex field=unregexed "(?<category>Deny) (?<type>\S+?) src (?<from>[^:]+?):(?<from_ip>[^/]+?)/(?<from_port>\d+?)\(LOCAL.(?<user>[^\)]+?)\) dst (?<to>[^:]+?):(?<to_ip>[^/]+?)/(?<to_port>\d+?) by access-group \"(?<access_group>[^\"]+?)\" \[(?<brackets>[^\]]+?)\]" |
eval comment="extraction_disconnected" | rex field=unregexed "(?<category>Group) = (?<group>[^,]+?), Username = (?<user>[^,]+?), IP = (?<ip>[^,]+?), Session disconnected. Session Type: (?<type>[^,]+?), Duration: (?<duration>[^,]+?), Bytes xmt: (?<bytes_xmt>[^,]+?), Bytes rcv: (?<bytes_rcv>[^,]+?), Reason: (?<reason>[\s\S]+)" |
eval comment="extraction_access-list" | rex field=unregexed "(?<category>access-list StaffVPNACL-EXT2 denied) (?<type>\S+?) for user \'(?<user>[^\']+?)\' (?<from>[^/]+?)/(?<from_ip>[^\(]+?)\((?<from_port>[^\)]+?)\) -> (?<to>[^/]+?)/(?<to_ip>[^\(]+?)\((?<to_port>[^\)]+?)\) hit-cnt 1 first hit \[(?<brackets>[^\]]+?)\]" |

eval comment="AAA" | rex field=unregexed "(?<category>AAA user authentication Rejected) : reason = (?<reason>[^:]+?) : server = (?<server>[^:]+?) : user = (?<user>[^:]+?) : user IP = (?<ip>\S+)" |

search user="USERSEARCH" OR to_user="USERSEARCH" OR from_user="USERSEARCH" |

lookup dnslookup clientip as ip OUTPUT clienthost as ip_resolved | lookup dnslookup clientip as from_ip OUTPUT clienthost as from_ip_resolved | lookup dnslookup clientip as from_ip2 OUTPUT clienthost as from_ip2_resolved | lookup dnslookup clientip as to_ip OUTPUT clienthost as to_ip_resolved | lookup dnslookup clientip as to_ip2 OUTPUT clienthost as to_ip2_resolved |

table _time unregexed category connection user from from_ip from_ip_resolved from_port from_user from_ip2 from_ip2_resolved from_port2 to to_ip to_ip_reoslved to_port to_user to_ip2 to_ip2_resolved to_port2 ip ip_resolved server type reason message group access_group direction duration bytes bytes_xmt bytes_rcv brackets sourcetype
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...