Showing posts with label Splunk. Show all posts
Showing posts with label Splunk. Show all posts
2014-03-13
Tiny Core Linux Splunk
SPLUNK_HOME=/opt/splunk
export SPLUNK_HOME
gzip -dc splunk-6.0.1-189883-Linux-x86_64.tgz | tar xfv - -C /opt
cd /opt/splunk
mv var var.bak
mkdir var
sudo mount -t ext4 <dev> var
mv var.bak/* var
bin/splunk start
err* OR crit* OR emer* OR fau* OR fail* OR cpu OR mem* OR limit* | rex mode=sed "s/No matching connection for ICMP error message: icmp src outside:\d+\.\d+\.\d+\.\d+ dst identity:(\d+\.\d+\.\d+\.\d+) \(type \d+, code \d+\) on outside interface\.\s+Original IP payload: .*/No matching connection for ICMP error message: icmp src outside:?.?.?.? dst identity:\1 (type ?, code ?) on outside interface. Original IP payload: .../" | rex mode=sed "s/ detected \d+ output discard/ detected ? output discard/" | rex mode=sed "s/4294\d{3}%/4,???,???%/" | rex mode=sed "s/\s\(\d+-\d+-\d+ \d\d:\d\d:\d\d\)//" | rex field=_raw "^(?<TIME>\d+-\d+-\d+T\d+:\d+:\d+)\.\d+\+\d+:\d+\s+(?<LogHost>\d+\.\d+\.\d+\.\d+)\s+" | rex field=_raw "\s(?<LOG>(?:%|\[\w*\]).*)" | fillnull value="n/a" LOG | stats count, sparkline(count, 2h) as Trend, max(TIME) AS LastTime, max(_time) AS s by host, LOG | sort -s | fields LastTime, host, LOG, count, Trend
xxx NOT icmp| rex field=_raw "\s(?<Protocol>[\w]+)\ssrc\s+[^ ]+:(?<FromHost>[0-9.]+)(?:/?[0-9]*) dst\s+[^ ]+:(?<ToHost>[0-9./]+) " | fillnull value="n/a" | stats count, sparkline(count) as Trend by FromHost, ToHost, Protocol
\[(?P<Thread>[0-9][0-9])\]\s+<(?P<Time>[0-9][0-9]:[0-9][0-9])\s+(?P<Service>\w+)>\s+(?P<Action>[a-z:]+): Next (?P<RecordFrom>[0-9]+) - (?P<RecordTo>[0-9]+) \(Head (?P<RecordHead>[0-9]+)\)
\s(?P<Type>\w+)\s+(?P<SourceIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\.(?P<SourcePort>[0-9]{0,5})\s+>\s+(?P<DestIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\.(?P<DestPort>[0-9]{0,5}):\s+(?P<Flag>.{1,2})\s+(?P<SeqNoLast>[0-9]+):(?P<SeqNo>[0-9]+)\((?P<byte>[0-9]+)\)\s+ack\s+(?P<SeqNoAck>[0-9]+)\s+win\s+(?P<Window>[0-9]+)
\s(?P<Type>\w+)\s+(?P<SourceIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\.(?P<SourcePort>[0-9]{0,5})\s+>\s+(?P<DestIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\.(?P<DestPort>[0-9]{0,5}):\s+(?P<Flag>.{1,2})\s+ack\s+(?P<SeqNoAck>[0-9]+)\s+win\s+(?P<Window>[0-9]+)
\s(?P<Type>\w+)\s+(?P<SourceIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\.(?P<SourcePort>[0-9]{0,5})\s+>\s+(?P<DestIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\.(?P<DestPort>[0-9]{0,5}):\s+(?P<Flag>.{1,2})\s+(?P<SeqNoLast>[0-9]+):(?P<SeqNo>[0-9]+)\((?P<byte>[0-9]+)\)\s+win\s+(?P<Window>[0-9]+)
TCP Sequence Randomization
| timechart sum(byte) by SourceIP, SourcePort, DestIP, DestPort
| rex field =_raw "(?P<proto1>\w+) blah (?P<proto2>\w+)" | eval proto=coalesce(proto1, proto2)
| top Flag
| where isnull(Flag)
| where isnotnull(Flag)
| stats sum(byte) as Sum | gauge Sum 200000 400000 600000 800000
... | strcat host "::" port address
| iplocation
status=404 | top 5 referer_domain
status=404 | top 5 referer_domain | search count>2
* | eval kbytes = bytes/1024
gender=female |sort -iq |dedup hair, eyes |eval bmi=weight/height
status=404 | timechart count
status=200 | timechart sum(bytes)
status=200 | timechart sum(bytes) by referer
status=200 | chart sum(bytes) as “Total Bytes” over date_wday
status=200 | chart sum(bytes) over date_wday by referer
status=200 | rare 100 uri | search count>1
status=200 | stats sum(bytes), max(bytes)
status=200 | stats max(bytes) by referer
... | rename _ip as IPAddress
... | replace *localhost with localhost in host
... | dedup host Remove duplicates of results with the same host value.
... | head 20
... | reverse
... | sort ip, -url
... | tail 20
--
props.conf
[my_sourcetype]
...
REPORT-fields = my_fields
transforms.conf
[my_fields]
REGEX = (?m-s)^SPARAM\|\d*\|([^|]+)\|(.*)
FORMAT = $1::$2
--
[get-username]
REGEX = by\s(\w+)\son
FORMAT = username::$1
--
Subscribe to:
Posts (Atom)