Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My muilti-line regex won't work after saving it for field extractions in a HPUX audit log

guarisma
Contributor
‎10-14-2016 08:31 AM

Hello,

This is my regex, it works well using the rex command on the search bar of my app like this:

index=hpux tag=audit "bin/rm" | rex "(?m)^(?:.)\n^PID:\s+(?P<pid>[\S]+)\n^PPID:\s+(?P<ppid>[\S]+)\n^User\/Grp:\s+\S+((?P<user>[\S]+)\/(?P<group>[\S]+))\n(?:^.\n)+^Return1:\s+(?P<status>[\S]+)\n(?:^.\n)+^\s+given path = \"(?P<command>[\S]+)\"\n(?:^.\n)+^\s+arg\s#\d+\s=\s\"(?P<file>[\S]+)\""

This is my sample event:

Time:                   Fri Oct 14 11:00:00 16 EDT
PID:                    9368
PPID:                   9361
User/Grp:               0/3(root/sys)
Groups:                 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges:           "BASIC"
Permitted privileges:           "BASIC"
Retained privileges:            "BASIC"
Audit tag:              0:         0:(system):      (boot)
TTY:                    (none)
Return1:                0
Arg 1 (file info):                      
                    given path = "/usr/bin/rm"
                    inode = 204
                    device = 64, 0x7
                    mode = 0100555
                    owner uid/gid = 2/2
                    type = regular file
Arg 2 (argument list):                  
                    arg #1 = "rm"
                    arg #2 = "/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old"
Other (file info):                      
                    inode = -1
--------------------------------------------------------------------

So,
pid=9368
ppid=9361
user=root
group=sys
status=0
command=/usr/bin/rm
file=/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old

But when I paste it in a Field Extraction GUI, the preview works, then I save it under my app with Global permissions but my searches won't extract any of the fields.

Am I missing something? This usually works out of the box.

I'm running Splunk 6.4.1
Thanks for any help.

Tags (1)
0 Karma
Reply

gokadroid
Motivator
‎10-16-2016 12:40 AM

Try this please as I was able to extract it with this regex and all the fields showed up after extraction:

(?s)PID:\s+(?<pid>[^\D]+).*PPID:\s+(?<ppid>[^\D]+).*User\/Grp:\s+\S+\((?<user>[^\/]+)\/(?<group>[^\)]+)\).*Return1:\s+(?<status>[^\D]+).*given\s+?path\s+?=\s+?\"(?<command>[^\s\"]+).*arg\s+?\#\d\s+?=\s+?\"(?<file>[^\s\"]+).*

If it works, please accept the answer and up vote. Thanks!

Reply

guarisma
Contributor
‎10-21-2016 07:31 PM

Thanks for your help, but I have decided to take another option since this type of log mutates a lot.

I decided to just keep the header part in one Field Extraction:

(?m)^(?:.)\n^PID:\s+(?P[\S]+)\n^PPID:\s+(?P[\S]+)\n^User\/Grp:\s+\S+((?P[\S]+)\/(?P[\S]+))\n

And then make several other Field Extractions for the rest of the commands:

^Return1:\s+(?P[\S]+)\n

^\s+given path = \"(?P[\S]+)\"\n

^\s+arg\s#\d+\s=\s\"(?P[\S]+)\""

Now the next problem I have is that I can have any number of "arg #N" and it would be nice to capture all them dynamically.

Any HP-UX audit log experts out there? 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...