Hey all,
I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.
transforms.conf:
[fields_for_scap]
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*)
FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5
Previously attempted regexes:
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*)
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*)
props.conf:
[scap]
SHOULD_LINEMERGE=false
LINE_BREAKER = (\n\n)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORT-fields_for_scap = fields_for_scap
Example events:
Title
Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
Rule
kernel_disable_entropy_contribution_for_solid_state_drives
Result
pass
Title
Ensure /tmp Located On Separate Partition
Rule
partition_for_tmp
Ident
CCE-26435-8
Ident
DISA FSO RHEL-06-000001
Result
pass
Edit:
For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.
... View more