Hello all,
I'm having an issue with my environment while trying to index a set of logs i get from a file nightly and attempt to process them. what is happening is splunk is not finding the timestamp and either setting it as file mod time or at index time. I do not have this issue with the other logs sent from this same server.(syslog server sending many logs). At the bottom are 3 log lines as an example.
I'm trying to extract the epoch timestamp from the start of the line. AV - Alert - "**1504324797**" --> i'm not seeing any failed to parse timestamp errors so i'm confused as to why this is being bypassed and setting it to the file mod time or index time.
The input stanza:
[monitor:///apps/alienvault/ossec-alerts-*.log]
whitelist=ossec-alerts
index = test
sourcetype = alienv
disabled = 0
Props.conf: (I've commented out the field extractions to make sure they arnt the issue.)
[alienv]
TIME_PREFIX = ^\w+\W+\w+\W+ I've also tried: AV - Alert - " , \-\s\" , no time prefix and others
TIME_FORMAT = %s 10 digit epoch format
TZ = UTC
#REPORT-alienv = av-syslog-hdr, av-syslog-user, av-syslog-srcip, av-syslog-location1, av-syslog-location2, av-syslog-message
#REPORT-alienv-loc = av-syslog-location1, av-syslog-location2
#FIELDALIAS-signature = action as signature
#FIELDALIAS-src = src_ip as src
#TRANSFORMS-sev = av-syslog-sev
#TRANSFORMS-suppressions = av-win-suppress-detail
I have a distributed environment so i've placed the props.conf/transforms.conf on the indexers and search heads for search time field extractions. The indexers and search heads are version 6.5, the server i'm forwarding from uses a universal forwarder version 6.4.1
Log line examples:
AV - Alert - "1504324797" --> RID: "700008"; RL: "2"; RG: "windows,authentication_success,"; RC: "A Kerberos service ticket was requested: Success."; USER: "user@server.com"; SRCIP: "None"; HOSTNAME: "(Host-xxx-xxx-xxx-xxx) xxx-xxx-xxx-xxx->WinEvtLog"; LOCATION: "(Host-xxx-xxx-xxx-xxx) xxx-xxx-xxx-xxx->WinEvtLog"; EVENT: "[INIT]2017 Sep 02 00:00:02 WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: user@server.com: server.domain: server.domain: A Kerberos service ticket was requested. Account Information: Account Name: user@server.com Account Domain: server.domain Logon GUID: {5DDE4BE2-4A37-D51B-77F1-CDFE96B24E23} Service Information: Service Name: krbtgt Service ID: S-1-5-21-2277870611-162051517-1830794436-502 Network Information: Client Address: xxx.xxx.xxx.xxx Client Port: 65168 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. [END]";
AV - Alert - "1504324797" --> RID: "700008"; RL: "2"; RG: "windows,authentication_success,"; RC: "A Kerberos service ticket was requested: Success."; USER: "user@server.com"; SRCIP: "None"; HOSTNAME: "(Host-xxx-xxx-xxx-xxx) xxx-xxx-xxx-xxx->WinEvtLog"; LOCATION: "(Host-xxx-xxx-xxx-xxx) xxx-xxx-xxx-xxx->WinEvtLog"; EVENT: "[INIT]2017 Sep 02 00:00:02 WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: user@server.com: server.domain: server.domain: A Kerberos service ticket was requested. Account Information: Account Name: user@server.com Account Domain: server.domain Logon GUID: {5DDE4BE2-4A37-D51B-77F1-CDFxxxxxxxxx} Service Information: Service Name: service$ Service ID: S-1-5-21-2277870611-162051517-1830794436-1296 Network Information: Client Address: xxx.xxx.xxx.xxx Client Port: 65170 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. [END]";
AV - Alert - "1504324797" --> RID: "700008"; RL: "2"; RG: "windows,authentication_success,"; RC: "A Kerberos service ticket was requested: Success."; USER: "user@server.com"; SRCIP: "None"; HOSTNAME: "(Host-xxx-xxx-xxx-xxx) xxx-xxx-xxx-xxx->WinEvtLog"; LOCATION: "(Host-xxx-xxx-xxx-xxx) xxx-xxx-xxx-xxx->WinEvtLog"; EVENT: "[INIT]2017 Sep 02 00:00:02 WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: user@server.com: server.domain: server.domain: A Kerberos service ticket was requested. Account Information: Account Name: user@server.com Account Domain: server.domain Logon GUID: {5DDE4BE2-4A37-D51B-77F1-CDFxxxxxxxxx} Service Information: Service Name: service$ Service ID: S-1-5-21-2277870611-162051517-183079xxxx-xxxx Network Information: Client Address: xxx.xxx.xxx.xxx Client Port: 65169 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. [END]";
↧