Best thing you can do is transform the sourcetype to subtypes. I have the logs coming in as sourcetype=ipam and then split up by the log type. I have also created a dashboard to show if a record has been changed, created, or deleted and by who. This is displayed in our NOC so if there is an issue they can bring up this page to help troubleshoot.
Here is what I have recently created that will help get you started.
Props.conf
[ipam]
TRANSFORMS-sourcetype = ipam_named, ipam_dhcpd, ipam_python, ipam_sshd, ipam_scheduled_ftp_backups, ipam_check_scheduled_backups, ipam_monitor, ipam_httpd, ipam_validate_dhcpd
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 20
pulldown_type = true
[ipam_httpd]
EXTRACT-DeletedRecord = (?i)Deleted\s+\S+\s+(?P<DeletedRecord>[^ ]+)
EXTRACT-DeletedType = (?i) Deleted (?P<DeletedType>[^ ]+)
EXTRACT-User = (?i)\[(?P<User>\S+)(?=\])
EXTRACT-CreatedType = (?i)Created\s+(?P<CreatedType>[^\s]+)
EXTRACT-CreatedRecord = (?i)Created\s+\S+\s+(?P<CreatedRecord>[^\s]+)
EXTRACT-ModifiedType = (?i)Modified\s+(?P<ModifiedType>[^\s]+)
EXTRACT-ModifiedRecord = (?i)Modified\s+\S+\s+(?P<ModifiedRecord>[^\s]+)
Transforms.conf
[ipam_named]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+named\[)
FORMAT = sourcetype::ipam_named
[ipam_dhcpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+dhcpd\[)
FORMAT = sourcetype::ipam_dhcpd
[ipam_python]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+python:)
FORMAT = sourcetype::ipam_python
[ipam_sshd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+sshd\[)
FORMAT = sourcetype::ipam_sshd
[ipam_scheduled_ftp_backups]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+scheduled_ftp_backups\[)
FORMAT = sourcetype::ipam_scheduled_ftp_backups
[ipam_check_scheduled_backups]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+check_scheduled_backups\[)
FORMAT = sourcetype::ipam_check_scheduled_backups
[ipam_monitor]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+monitor\[)
FORMAT = sourcetype::ipam_monitor
[ipam_httpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+httpd:)
FORMAT = sourcetype::ipam_httpd
[ipam_validate_dhcpd]
DEST_KEY = MetaData:Sourcetype
REGEX = (\.\d+\s+validate_dhcpd\[)
FORMAT = sourcetype::ipam_validate_dhcpd
savedsearches.conf
[IPAM - Deleted Records Table]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
auto_summarize.timespan = 1m
dispatch.earliest_time = -24h
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = sourcetype=ipam_httpd DeletedType="*" DeletedRecord="*" | stats list(DeletedRecord) as DeletedRecord list(DeletedType) as DeletedType list(DnsView) as "Dns View" by User
I'm working on setting up an alert so when a user tries to log in that is not on the defined admin list, a ticket will be generated.
Hope this helps,
Kyle
... View more