Hello All, been banging the head against the desk for awhile on this one; tried join, transaction, and a few other things.
We have fw logs that record the ip address (dhcp) of the users, but no other information about the user. We have bro dhcp logs that record the user's ip address and mac address. I need to be able to "join" these searches to show what user (by MAC address). At a high level:
log 1: fw data (_time, dest_ip, etc.)
log 2: dhcp data (epoch time earliest seen, dhcp_ip, mac)
In this example, log 1 contains variable A (dest_ip), log 2 contains variable A (ip) and B(mac). Thus, I need to "join" log 1 and log 2 by the common value (not common field name!) of A. The actual field names are:
log 1: dest_ip
log 2: bro_dhcp_ip, bro_dhcp_mac
The part that makes this tough is the time factor. In the firewall logs, the time is the _time field which I can convert easily to epoch time by eval t=_time. In the dhcp logs there is also a epoch time field (dhcp_time) which basically stamped on every event. So, I need to not only join logs 1 and 2, but I also need to find out how the time correlates so I know which MAC had the dhcp_ip at the time of the fw entry. I'm using a lookup to get the username from the mac.
This fails miserably lol and I can't quite find out where.... I left the time part out in this example because not sure how to include it. I'm using fields to cut down on search time/data.
sourcetype=firewall | fields _time, transport, src_ip, src_port, src_interface, direction, dest_interface, dest_ip, dest_translated_ip, dest_port, action | eval t=_time | join type=inner rename dest_ip AS bro_dhcp_ip [search sourceype=bro_dhcp | where (the fw time matches the LAST bro time the most closely??) | fields earliest_time, bro_dhcp_uid, bro_dhcp_mac, bro_dhcp_ip, lease_time] | lookup mac_lookup.csv mac_addr1 AS bro_dhcp_mac OUTPUT mac_addr1 AS user_mac | search user_mac="*" | table t, bro_dhcp_ip, user_mac
Any help would be greatly appreciated!
↧