Re: Splunk TA for Password Manager Pro: I've set t...

alexlomas · ‎06-06-2016

I've set the sourcetype in the syslog input to be 'passman' - events are being ingested, but fields aren't being extracted. The tag of 'account' is being added though. Have I set the wrong type?

atellez_splunk · ‎06-06-2016

The TA uses sourcetype pipelines in order to "match" the event to three different types of logs: pmp_resource, pmp_login, pmp_notification. If the fields are failing to extract the syslog output from your appliance might not match the regular expressions found in the TA. An easy way to test this is to copy some logs into a regex editor (regex101.com) and use the EXTRACT regexes to test that the regexes are valid against your logs.

Example for pmp_resource logs:

EXTRACT-passman=(?P<date>\d+\-\d+\-\d+\s\d+\:\d+\:\d+)\s(?P<facility>\w+\.\w+)\s(?P<program>\w+)\s(?P<otherdate>\w+\s\d+\s\d+\:\d+\:\d+)\s(?P<host>\w+)\s(?P<logged_in_username>\S+)\:(?P<src>\S+)\s(?P<operation_type>\S+)\s(?P<operated_time>\d+\/\d+\/\d+\s\d+\:\d+\:\d+)\s(?P<status_of_operation>\w+)\s(?P<pmp_server_name>\S+)\s(?P<dest>\S+)\:(?P<user>\S+)\:(?P<reason>\S+)

alexlomas · ‎06-07-2016

Thanks - looks like the extracts in the TA no longer match what PMP is sending then.

knicholson0 · ‎03-02-2018

Yes. I'm on PMP Version: 9.1.0 / Build Number: 9101 and the date format being sent to Syslog is not in a valid ISO 8601 date, such as "2004-05", but rather "Mar 2" [sic]. So much for this statement from Manage Engine "A RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol"

Splunk TA for Password Manager Pro: I've set the sourcetype in the syslog input, but why are fields not being extracted?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...