I was working on building a dashboard showing users who failed logons to the Palo Alto. That's when I notices the authentication events do NOT parse out user information log.
event-id="auth-fail"
1,2016/04/12 15:06:52,001701005661,SYSTEM,general,0,2016/04/12 15:06:52,,auth-fail,Admin_Radius_Profile,0,0,general,medium,"failed authentication for user 'DOMAIN\testing'. Reason: Invalid username/password auth profile 'Admin_Radius_Profile', vsys 'shared', server profile 'Admin_Radius', server address '1.1.2.4', From: 1.1.1.1.",2194485,0x0,0,0,0,0,,pafw
event-id="auth-success"
1,2016/04/12 15:07:14,001701005661,SYSTEM,general,0,2016/04/12 15:07:14,,auth-success,LDAP_Auth_Profile,0,0,general,informational,"authenticated for user 'validuser'. auth profile 'LDAP_Auth_Profile', vsys 'shared', server profile 'DOMAIN profile', server address 'DOMAINCONTROLLER', From: 1.1.1.1.",2194487,0x0,0,0,0,0,,pafw
For both of these events, there is a description field that is parsed out:
Description: failed authentication for user 'DOMAIN\testing'. Reason: Invalid username/password auth profile 'Admin_Radius_Profile', vsys 'shared', server profile 'Admin_Radius', server address '1.1.2.4', From: 1.1.1.1.
Description: authenticated for user 'validuser'. auth profile 'LDAP_Auth_Profile', vsys 'shared', server profile 'DOMAIN profile', server address 'DOMAINCONTROLLER', From: 1.1.1.1.
But the username does not show up in a separate field. Furthermore, the source IP (the IP after From:) is not parsed out either.
So I build search extractions that work very well:
sourcetype="pan:system" event_id="auth-fail" | rex field=description "failed authentication for user \'(?[^']+)" | rex field=description "Reason: (?[^,]+)" | rex field=description "From: (?[^,]+)" | eval src=rtrim(src1, ".") | table _time, event_id, user, src, Reason
sourcetype="pan:system" event_id="auth-success" | rex field=description "authenticated for user \'(?[^']+)" | rex field=description "From: (?[^,]+)" | eval src=rtrim(src1, ".") | table _time, user, src
But I want these to automatically happen. These logs are currently going straight to the indexer (legacy issue). So I created /etc/apps/Splunk_TA_paloalto/local/props.conf and put the following syntax:
[pan:system]
EXTRACT-user = authenticated for user \'(?[^']+)
EXTRACT-src1 = From: (?[^,]+)
EVAL-src = rtrim(src1, ".")
EXTRACT-user = failed authentication for user \'(?[^']+)
EXTRACT-Reason = Reason: (?[^,]+)
I did this on both the indexer and the Search Head.
I restarted both instances of Splunk.
But now the parsing for failed authentication only pulls the Reason, but does not pull the user or the src. And the parsing for authenticated user does not pull the user.
Any suggestions?
Thanks.
↧