- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to search successful or failure connection...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i use this log for 24 hours but no result even in last 7 days,
however individual search inbound and outbound separately, there is search result,
is it the problem of alias name for the destination ip and source ip?
should inbound and outbound both exist can be called a successful connection?
if only inbound connection but no outbound connection, can it be a successful connection?
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?<destinationip2>\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\d+.\d+.\d+.\d+){0,3}" | join destinationip2 [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?<destinationip2>\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try a different approach
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" OR "Built outbound" NOT ("8.8.8.8" OR "8.8.4.4") | rex field=_raw "Outside:(?<destinationip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | mvexpand destinationip2 | stats values(sourceip2) as sourceip2 by destinationip2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try a different approach
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" OR "Built outbound" NOT ("8.8.8.8" OR "8.8.4.4") | rex field=_raw "Outside:(?<destinationip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | rex field=_raw "Inside:(?<sourceip2>\s?\d+\.\d+\.\d+\.\d+){0,3}" | mvexpand destinationip2 | stats values(sourceip2) as sourceip2 by destinationip2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this approach search inbound and outbound using or, but not join to find specific session,
i think to use maxspan=30s and join
actually my log are like these
Aug 3 09:06:50 192.168.1.1 %ASA-6-302013: Built inbound TCP connection 429365644 for Outside:126.27.180.187/64765 (180.25.12.177/64765) to Inside:202.171.212.131/80 (230.120.220.141/80)
Aug 3 09:07:11 192.168.1.1 %ASA-6-302013: Built outbound TCP connection 429369569 for Outside:192.168.116.124/1883 (192.168.1.12/1883) to Inside:202.171.212.163/53381 (230.120.220.165/53381)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
today i search again, it has result now,
source=/var/log/remote/192.168.1.1.log outsideip=* "Built inbound" NOT "8.8.8.8" NOT "8.8.4.4" | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}" | rex field=_raw "Inside:(?\d+.\d+.\d+.\d+){0,3}" | join destinationip2 [search "Built outbound" outsideip=* | rex field=_raw "Outside:(?\d+.\d+.\d+.\d+){0,3}"] | mvexpand destinationip2 | table destinationip2, sourceip2 | stats values(sourceip2) as sourceip2, count by destinationip2 | sort by count by desc | head 10
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
