Splunk® Enterprise Security

Data Source Integration Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

FAQ

I edited the transforms from Splunk Web and now I have content in the local directory. How do I merge this with the default content?

You can merge content from the local directory by copying the stanzas from the file in local directory into the corresponding file in the default directory.

For example say you want to merge the following:

The local transforms file (local/transforms.conf) includes:

   [bluecoat]
   SHOULD_LINEMERGE = false

   [product_static_Proxy]
   REGEX = (.)
   FORMAT = product::"Proxy"

The default transforms file (default/transforms.conf) includes:

   [bluecoat]
   REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat

The combined transforms file (in default/transforms.conf) would look like this:

   [bluecoat]
   SHOULD_LINEMERGE = false
   REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat
   [product_static_Proxy]
   REGEX = (.)
   FORMAT = product::"Proxy"

Once you have migrated all the stanzas, make sure to delete the files in the local directory.

My source data is mostly tab-delimited, but the first three fields are space-delimited... these fields contain the date and time, the log host, and the log type. What should I do?

Put these fields into one field called log_header and ignore it. The fields are not necessary for the add-on to function.

My Nessus data appears to have incorrect time stamps. How do I fix this?

By default, infrequently indexed data like Nessus is indexed using current time to make it automatically available to time-sensitive vulnerability tracking searches, so that it will be seen as more than raw data.

To index using the individual scan ending times, edit TA-Nessus/defaults/prop.conf, comment the "Index w/ current time" section, and uncomment the "Index w/ ReportHost StopTime" option (as follows):

  ## Index w/ current time
  # DATETIME_CONFIG = CURRENT
  ## vs. Index w/ ReportHost StopTime
  DATETIME_CONFIG =
  TIME_PREFIX = end_time="
  TIME_FORMAT = %a %b  %d %H:%M:%S %Y

If the Nessus data appears properly in the Search bar but is not appearing in Vulnerability Center, the data is too old to be searched for notable events. Clone these three searches:

  • Network -- Vulnerability Scanner Detection (by event) -- Rule
  • Network -- Vulnerability Scanner Detection (by targets) -- Rule
  • Network -- Vulnerability Tracker -- Lookup Gen

and then manually run the clones a single time across the time period covering the newly imported Nessus scans.

Known Issues

Splunk fails to extract values spanning multiple lines

Splunk fails to automatically extract values when those values span multiple lines. The fields are extracted with the correct name but the value is left empty if the original value includes multiple lines.

To work around this issue, create a transform that extracts the entire field. Below is a transform that extracts the multi-line field "message" for the source type "acme_firewall":

In transforms.conf:

   [message_for_acme_firewall]
   REGEX = ,\s+message=\"(.*?)(\",\s+\S+\=)
   FORMAT = message::"$1"

Then, enable the transform in default/props.conf in the add-on folder:

   [acme_firewall]
   REPORT-0 message_for_acme_firewall = message_for_acme_firewall
Last modified on 09 May, 2013
PREVIOUS
Example 2: OSSEC
  NEXT
Dashboard requirements matrix

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters