Solved: How to separate logs from the same source to their...

tayyujie · ‎10-14-2014

I am running pfSense in my environment. Currently, I am sending logs through UDP 50000, and my source type is pfsense-firewall. My props.conf and transforms.conf look like this:

props.conf

[source::udp:50000]
TRANSFORMS-pfsense-firewall = pfsense-firewall
SHOULD_LINEMERGE = true
TRUNCATE = 0
MUST_NOT_BREAK_AFTER = pf: .* rule ([-\d]+\/\d+)\(.*?\):
MUST_BREAK_AFTER = pf: .* (<|>) +(\d+\.\d+\.\d+\.\d+)\.?(\d*)\:
REPORT-pfsense-firewall = pfsense-firewall

transforms.conf

[pfsense-firewall]
REGEX = .* (?pass|block) .* (?TCP|UDP|IGMP|ICMP) .* (?(\d+\.\d+\.\d+\.\d+))\.?(?(\d*)) [<|>] (?(\d+\.\d+\.\d+\.\d+))\.?(?(\d*)): (.*)
CLEAN_KEYS = 1
MV_ADD = 0

I am also currently sending virus logs from havp (pfSense antivirus package) through the same port. The logs from pfSense are multi-lined, but the logs from havp are single-lined.

A log sample from havp:

Oct 15 10:22:28 192.168.89.254 Oct 15 10:22:34 havp[2937]: 192.168.2.3 GET 200 http://www.eicar.org/download/eicar.com 380+68 VIRUS Clamd: Eicar-Test-Signature

How can I separate the logs to their respective source types based on the regex? Sorry, I'm pretty new to Splunk, so this may come across as a newbie question.

martin_mueller · ‎10-15-2014

You could do something like this (untested, so double-check for typos before copypastaing):

props.conf:

[source::udp:50000]
sourcetype = havp
TRANSFORMS-set_pfsense_sourcetype = set_pfsense_sourcetype
...

transforms.conf:

[set_pfsense_sourcetype]
REGEX = [\r\n]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::pfsense-firewall

...

The sourcetype will default to hvap as set in props.conf, and will be overwritten to pfsense in transforms.conf if a line break is present in the event.

Note, I'd personally prefer giving each source its own UDP port... but this should work as well.

View solution in original post

martin_mueller · ‎10-15-2014

You could do something like this (untested, so double-check for typos before copypastaing):

props.conf:

[source::udp:50000]
sourcetype = havp
TRANSFORMS-set_pfsense_sourcetype = set_pfsense_sourcetype
...

transforms.conf:

[set_pfsense_sourcetype]
REGEX = [\r\n]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::pfsense-firewall

...

The sourcetype will default to hvap as set in props.conf, and will be overwritten to pfsense in transforms.conf if a line break is present in the event.

Note, I'd personally prefer giving each source its own UDP port... but this should work as well.

tayyujie · ‎10-15-2014

Unfortunately, havp do not have the settings to send logs on a different port.

I'll give it a try!

kml_uvce · ‎10-14-2014

in props.conf make 2 stanzaz for pfsense and hvap

[pfsense_sourcetype]
.....
REPORT-pfsense-firewall = pfsense-firewall
[hvap_sourcetype]
....
REPORT-hvap-firewall = hvap-firewall

In transforms.conf

[pfsense-firewall]
 REGEX = .* (?pass|block) .* (?TCP|UDP|IGMP|ICMP) .* (?(\d+\.\d+\.\d+\.\d+))\.?(?(\d*)) [<|>] (?(\d+\.\d+\.\d+\.\d+))\.?(?(\d*)): (.*)
 CLEAN_KEYS = 1
 MV_ADD = 0
[ hvap-firewall]

tayyujie · ‎10-15-2014

I can make two stanzas even though my source is udp:50000?

I defined UDP port 50000 as pfsense-firewall in my data inputs.

How to separate logs from the same source to their respective sourcetypes based on regex?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?