{"id":75,"date":"2009-07-30T22:12:46","date_gmt":"2009-07-31T04:12:46","guid":{"rendered":"http:\/\/www.anthonyreinke.com\/?p=75"},"modified":"2009-07-30T22:12:46","modified_gmt":"2009-07-31T04:12:46","slug":"regex-with-splunk-for-ossec","status":"publish","type":"post","link":"https:\/\/anthonyreinke.com\/index.php\/2009\/07\/30\/regex-with-splunk-for-ossec\/","title":{"rendered":"RegEx with Splunk for OSSEC"},"content":{"rendered":"

Thanks to Michael Wilde<\/a><\/strong> for the information on RegEx in Splunk.\u00a0 For those like me who aren’t the best at RegEx, I will show some of the regular expressions I am using for OSSEC.<\/p>\n

Server Name
\n(?i) Location:s((?P<FIELDNAME>.*?))s<\/p>\n

Windows Event User
\n(?i) USER: (?P<FIELDNAME>[^:]*);<\/p>\n

Server IP
\n(?i)^[^)]*)s+(?P<FIELDNAME>[^-]*)-<\/p>\n

Windows Events
\n(?i)^[^-]*-s+(?P<FIELDNAME>[^.]*).<\/p>\n

LogInUser
\n(?i) Name: (?P<FIELDNAME>w+)<\/p>\n

LogInDomain
\n(?i) Domain: (?P<FIELDNAME>[^ ]*)[ ]<\/p>\n

******************************************************<\/p>\n

Now, to add them…<\/p>\n

Open your browser and login in to your Splunk server.\u00a0 In the Search application, type sourcetype=”ossec”
\n\"Type<\/p>\n

or click on “ossec” in the Sourcetypes<\/p>\n

\"Click<\/p>\n

You should see a bunch of data from the OSSEC server.\u00a0 On the left of the main frame of the webpage, there should be a grey down arrow.\u00a0 Clicking on this I get two options.\u00a0 You want to select\u00a0 Extract Fields.
\n\"Click<\/p>\n

Here is where it gets fun.\u00a0 Splunk included a graphical RegEx builder based on examples.\u00a0 I ended up playing with this for a while.\u00a0 Once you have found the expression you like, click on the Save button.
\n\"Click<\/p>\n

Name your RegEx and click Save.
\n\"Save<\/p>\n

Restart your Splunk server.
\nOnce restarted, on the main search page, on the left sidebar click on Pick fields.
\n\"AddField\"<\/p>\n

Here you can select the fields that will be displayed on the search page.
\n\"SelectFields\"<\/p>\n

When you get back to the search page, you will notice the new fields.
\n\"Showing\"<\/p>\n","protected":false},"excerpt":{"rendered":"

Thanks to Michael Wilde for the information on RegEx in Splunk.\u00a0 For those like me who aren’t the best at RegEx, I will show some of the regular expressions I am using for OSSEC. Server Name (?i) Location:s((?P<FIELDNAME>.*?))s Windows Event User (?i) USER: (?P<FIELDNAME>[^:]*); Server IP (?i)^[^)]*)s+(?P<FIELDNAME>[^-]*)- Windows Events (?i)^[^-]*-s+(?P<FIELDNAME>[^.]*). LogInUser (?i) Name: (?P<FIELDNAME>w+) LogInDomain […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-75","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/75","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/comments?post=75"}],"version-history":[{"count":0,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/75\/revisions"}],"wp:attachment":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/media?parent=75"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/categories?post=75"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/tags?post=75"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}