I am trying to filter out all inbound deny syslog that the firewall is sending
I have a props.conf like this
[srx_log]
TRANSFORMS-srxDrop = srxDropDeny
I have transforms.conf like this
##############################
# Drop Firewall inbound deny
###############################
[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+source-zone-name\=\"untrust\")
DEST_KEY = queue
FORMAT = nullQueue
I can see that the logs are not being dopped.
How do I ..... Or where do I look to see why this is not working. Is there an internal log that tracks the transforms and props activity? is there a log file that tracks if or if not a filter is working?
I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name
[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue
I think I figured it out. Regex is case sensative and I had two source zones on with a lower "u" and one with an upper "U" so i had to add the "|" OR symbol to add the second source-zone-name
[srxDropDeny]
REGEX = (RT\_FLOW\_SESSION\_DENY.+(source-zone-name\=\"untrust\"|source-zone-name\=\"Untrust\"))
DEST_KEY = queue
FORMAT = nullQueue
here is a sample of the firewall log that I am trying to drop
<14>1 2016-08-17T10:32:06.470-05:00 Astraeos RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.28 source-address="y.y.y.y" source-port="37949" destination-address="x.x.x.x" destination-port="80" service-name="junos-http" protocol-id="6" icmp-type="0" policy-name="my policyname" source-zone-name="Untrust" destination-zone-name="my zone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="UNKNOWN" reason="none"]
Without a log example I can only suppose that you did some of my same old errors:
Had you verified your regex in Splunk or regex101.com?
can share an example?
bye.
Giuseppe
Your regex seems to be correct (backslashes before underscore aren't needed).
verify sourcetype.
bye.
Giuseppe
thanks much this helped
Hey Hartfoml!
Just a few first level queries for you:
Are you using a standalone or distributed deployment architecture?
Are you monitoring a file or catching syslog?
Have you confirmed your regex using something like regex101.com? (just to be sure)
Using any other sourcetypes/props on these events?