I created the following search to audit the changes made to our network infrastructure:
`(index=ise Protocol=Tacacs MESSAGE_CODE=5202) OR (index=acs process="Tacacs-Accounting" MESSAGE_CODE=3300)`
`| rex field=CmdSet mode=sed "s/^\[(?: )?|CmdAV= ?\]?|CmdArgAV=(?:)?|(?:)?\s\]//g"`
`| where CmdSet!=""`
`| lookup dnslookup clientip AS Address OUTPUT clienthost AS Device`
`| eval Device=(if(isnull(Device),Address,Device)), Time=strftime(_time,"%H:%M:%S")`
`| eval Date=strftime(_time, "%m")."-".date_mday."-".date_year`
`| stats list(CmdSet) AS Command, list(Time) AS Time BY Date,User,Device`
Here's some sample output:
Date User Device Command Time
09-14-2017 admin access-switch switchport access vlan 600 13:13:32
interface GigabitEthernet 1/0/26 13:13:25
no shutdown 13:13:57
shutdown 13:13:56
09-14-2017 admin core-router transfer upload start 17:36:08
transfer upload password 17:36:08
transfer upload username transfer 17:36:08
transfer upload filename core-router-confg 17:36:07
transfer upload serverip 10.10.10.1 17:36:07
transfer upload datatype config 17:36:07
transfer upload port 21 17:36:06
transfer upload mode ftp 17:36:06
There's a couple of issues I'm really struggling with:
1. I would like to eliminate rows /AFTER/ the stats command where the Command starts with 'transfer upload' or any number of other command snippets. I have spent the day trying various techniques like `|where` but I can't seem to figure how eliminate these rows. I realize I can do this with a regex before the stats, but I'm trying to learn some more advanced techniques.
2. I can't figure out how to sort the rows by Time. When I use the `sort` command, I lose all of the grouping and it becomes table output. Is there a way to sort the Commands in the stats output based on the Time column (also preserving the value in the Time column)?
3. There are some rows where the list() limit of 100 is a factor. Is there a better way to construct this search to work around that limit (as opposed to increasing the limit)? I tried using values(), but I seem to loose the relationship between the Command and Time fields.
Really struggling here, thanks.
↧