You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
71 lines
2.9 KiB
71 lines
2.9 KiB
##
|
|
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
##
|
|
##
|
|
[http_one_item_field]
|
|
# $1 = value[0], $2 = dsnames[0], $3 = type, $4 = type_instance
|
|
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
|
|
FORMAT = $3_$4_$2::$1
|
|
WRITE_META = true
|
|
|
|
[http_one_item_field_no_type_instance]
|
|
# $1 = value[0], $2 = dsnames[0], $3 = type
|
|
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
|
|
FORMAT = $3_$2::$1
|
|
WRITE_META = true
|
|
|
|
[http_two_item_fields]
|
|
# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type,
|
|
# $6 = type_instance
|
|
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
|
|
FORMAT = $5_$6_$3::$1 $5_$6_$4::$2
|
|
WRITE_META = true
|
|
|
|
[http_two_item_fields_no_type_instance]
|
|
# $1 = value[0], $2 = value[1], $3 = dsnames[0], $4 = dsnames[1], $5 = type
|
|
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
|
|
FORMAT = $5_$3::$1 $5_$4::$2
|
|
WRITE_META = true
|
|
|
|
[http_three_item_fields]
|
|
# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1],
|
|
# $6 = dsnames[2], $7 = type, $8 = type_instance
|
|
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:"|)([^"]+)(?:"|)(?:,|\})
|
|
FORMAT = $7_$8_$4::$1 $7_$8_$5::$2 $7_$8_$6::$3
|
|
WRITE_META = true
|
|
|
|
[http_three_item_fields_no_type_instance]
|
|
# $1 = value[0], $2 = value[1], $3 = value[2], $4 = dsnames[0], $5 = dsnames[1],
|
|
# $6 = dsnames[2], $7 = type
|
|
REGEX = "values":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*dsnames":\s*\[(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|),(?:"|)([^",]+)(?:"|)\].*,"type":(?:"|)([^"]*)(?:"|),"type_instance":(?:""|)(?:,|\})
|
|
FORMAT = $7_$4::$1 $7_$5::$2 $7_$6::$3
|
|
WRITE_META = true
|
|
|
|
# uncomment below stanza if you are collecting data using syslog server with sourcetype syslog
|
|
|
|
#[linux_syslog_audit]
|
|
#DEST_KEY = MetaData:Sourcetype
|
|
#REGEX = type=\S+\s+msg=audit
|
|
#FORMAT = sourcetype::linux:audit
|
|
|
|
[event_id]
|
|
REGEX = msg=audit\(([^:]+):(.+)\):
|
|
FORMAT = time_stamp::$1 event_id::$2
|
|
|
|
[op]
|
|
REGEX = op=([^=]+)\s+\S+=
|
|
FORMAT = op::$1
|
|
|
|
[subject]
|
|
REGEX = subj=([^:]+):([^:]+):([^:]+):(\S+)
|
|
FORMAT = subj_context_user::$1 subj_context_role::$2 subj_context_domain::$3 subj_context_sensitivity::$4
|
|
|
|
[object]
|
|
REGEX = obj=([^:]+):([^:]+):([^:]+):(\S+)
|
|
FORMAT = obj_context_user::$1 obj_context_role::$2 obj_context_type::$3 obj_context_sensitivity::$4
|
|
|
|
[res]
|
|
REGEX = res=(1|0|success|failed)
|
|
FORMAT = res::$1
|