All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Add-on for MAC lookup to search and extract MAC vendor in syslog data?

wiredmonkey
Explorer
‎08-26-2014 10:10 AM

I'm trying to use the Add-On for MAC lookup App and am having issues. Here is the raw syslog data i'm working with:

Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User)

And a user here was very helpful with my request to create a table which this gave me this search:

rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

rex confuses me greatly. I would like to add to this table the vendor of the mac being displayed using the | maclookup

How can I do this?

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎09-15-2014 04:52 AM

Hi wiredmonkey and others,

the app is now available with debugging feature and error handling on non-existing MAC's.
Thanks for providing the test events, they were really useful.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎09-15-2014 04:52 AM

Hi wiredmonkey and others,

the app is now available with debugging feature and error handling on non-existing MAC's.
Thanks for providing the test events, they were really useful.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

MuS
Legend
‎08-26-2014 02:28 PM

Hi wiredmonkey,

I wrote this App. Your MAC is not matching the regex used in the App. The regex uses : or - but your format is not matched.
Give me some time and I'll update it 😉

Cheers, MuS

Reply
Solved! Jump to solution

MuS
Legend
‎09-10-2014 11:32 AM

no the regex matches this format nicely.
I can add some debugging feature to the script tomorrow if you need.

Reply
Solved! Jump to solution

rickylee
New Member
‎08-29-2014 11:30 AM

Hi in my logs, my MAC addresses are already extracted properly to a field called EndPointMACAddress and I created a field alias called MAC_Address

excerpt of raw log
EndPointMACAddress=F4-0B-93-8F-D8-0E, ISEPolicySetName=Default, AllowedProtocolMatchedRule=LN-WLAN-PEAP

I cant seem to get the lookup to work

my search is:

eventtype=cisco-ise MESSAGE_CLASS=Passed-Authentication OR MESSAGE_CLASS=Failed-Attempt MESSAGE_TEXT="Authentication failed" | maclookup | Table User EndPointMACAddress Company OUI

thanks

0 Karma
Reply
Solved! Jump to solution

wiredmonkey
Explorer
‎08-27-2014 08:42 AM

MuS,

Thank you for the quick response. I am now seeing requests from my splunk server to api.macvendors.com so it appears to be trying to search. Now I cannot get the vendor to show up in my table.

Does the | maclookup replace the mac address with the vendor? Does it create a new row in the table?

In the end, I want the table to show:

Time
Source (westannex1 in this example)
Mac Address
Port
Vendor

Based off this syslog data:

Aug 21 14:39:04 192.168.10.18 Aug 21 14:39:03 WestAnnex1 MAC Authentication failed for [0021.7029.3381 ] on port 0/1/47 (Invalid User)

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎08-26-2014 11:52 PM

Hi wiredmonkey,

check the updated version http://apps.splunk.com/app/1249/ I added your MAC format to the regex.

cheers, MuS

Reply
Solved! Jump to solution

wiredmonkey
Explorer
‎08-26-2014 03:14 PM

Awesome. Thanks MuS!!

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-26-2014 10:57 AM

Try this

your base search | maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Updated: replace command before doing maclookup to format existing MAC.
update1: updated replace command as MAX can content alphanumeric characters

your base search | eval _raw=replace(_raw,"(\[[a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2}\s*\])","\1:\2:\3:\4:\5:\6")| maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Option 2 - adding space after and before MAC.

your base search | eval _raw=replace(_raw,"\[\s*([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\.([a-zA-Z0-9]{2})([a-zA-Z0-9]{2})\s*\]","[ \1:\2:\3:\4:\5:\6 ]")| maclookup |rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-26-2014 02:23 PM

You can use rex with mode=sed to convert your format to IEEE802 format. What is your current format

0 Karma
Reply
Solved! Jump to solution

wiredmonkey
Explorer
‎08-26-2014 01:42 PM

Found this in the help of maclookup:

lookup the standard ieee 802 mac-48 addresses in an internet db http://api.macvendors.com/ to get Manufactor Company Name

The mac that the syslog data creates isn't this standard. How do I go about changing the mac address format?

0 Karma
Reply
Solved! Jump to solution

wiredmonkey
Explorer
‎08-26-2014 11:06 AM

Didn't work. My only thought is that the maclookup app needs a specific format of the mac address to work. I tried to contact the creator of the Add-on but it's a bogus email address.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...