Wednesday, May 22, 2013

Splunk: Creating eventtypes from csv to name VLANS

Everyone got the VLAN name lookup working from the last post? You did.. ? Really someone is listening?

Next lets use the information in the internal_networks.csv file to create event types and really change the way we search in splunk.

While researching this topic, I learned that you CAN NOT do subsearches in eventtypes.conf
I was hoping to do something like (dont try it it doesnt work)

 eventtypes.conf
[vlan:Guest] 
search src_ip=172.30.21.0/24 |lookup vlan network AS src_ip OUTPUT name AS Src_VLAN

 So I had to find an easy way to parse our csv. I love trying to do all my heavy lifting on one line in linux. So I challenged myself.. can it be done?

As a reminder here is our internal_networks.csv  I have cleaned it up to conform with the common information model the best I could.  No spaces in the names and no capital letters.

network,name
"192.168.1.0/24","corporate"
"192.168.2.0/24","voice"
"192.168.3.0/24","nosc_tac"
"192.168.4.0/24","servers"
"192.168.5.0/24","engineering"
"192.168.6.0/24","security"
"192.168.7.0/24","unassigned"
"192.168.8.0/24","it_engineering"
"192.168.9.0/24","human_resources"
"192.168.10.0/24","call_manager"
"192.168.11.0/24","wireless"
"192.168.12.0/24","executive_office"
"192.168.13.0/24","unassigned"
"192.168.14.0/24","voip"
"192.168.15.0/24","finance"
"192.168.16.0/24","marketing"
"192.168.17.0/24","pm_users"
"192.168.18.0/24","sales"
"192.168.19.0/24","consultants"
"192.168.20.0/24","procurement"
"192.168.21.0/24","guest"
"192.168.255.0/24","255"

..and with a single beautiful line you can create a new eventtypes.conf with our internal_networks.csv.

sudo awk -F"\""  'NR!=1{ print "[vlan:"$4"]" "\n", "search = src_ip="$2"\n"}' /opt/splunk/etc/apps/search/lookups/internal_networks.csv >> /opt/splunk/etc/system/local/eventtypes.conf
You might have to change permissions to write (append to /opt/splunk/etc/apps/default/local/eventtypes.conf)

and now look what we have..  well defined event types! Now you can stop guessing what 192.168.3.45 is.. It is the nosc_tac vlan!


Additionally you now have the ability to search via vlan name
eventtype=vlan:sales or even try eventtype=vlan:* | top eventtype

Remember: If your internal_networks.csv changes you will have to regenerate your eventtypes.conf with the magical awk line from above.

Comments?

Ross Warren
Cyber Security, CISSP, GCIH, GSEC 


Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)