How To Connect Padvish Management Console To Splunk and Similar Software

Problem

This guide will help you if you wish to send Padvish logs to the logging and analyzing software such as Splunk.

What includes in this topic, is regex orders (Regular Expression) to process Padvish logs. This order has been tested in Splunk software, but it works in each software, which received orders with similar formats.

Instruction

Before using this instruction, you must connect the console to Splunk by using “the guide of Syslog setup in Padvish management console”. It is better before proceeding, some logs received by the software so you can see its impacts when you add the following rules.

The working method may slightly be different depending on the Splunk version, but generally, it follows the below rules:

  • Go to the Extract Fields page
  • Choose the “I prefer to write the regular expression myself” option
  • Enter each one of the following rules and save them. (pay attention to use and copy one line at a time, when entering. No extra character, enter, or space should not be used)
  • Repeat the above terms for all rules.

Rules

(?<logtype>\S+) \[(?<clienttime>.*)\] Malware ‘(?<malwarename>.*)’ found in client (?<clientname>.*) \[(?<clientip>.*)\] on path ‘(?<filepath>.*)’, action=(?<action>.*), result=(?<result>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] (?<protection>.*) turned (?<onoff>on|off) by ‘(?<username>.*)’ on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] File ‘(?<filepath>.*)’ restored from quarantine by ‘(?<username>.*)’ on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] Restore of file ‘(?<filepath>.*)’ from quarantine failed by ‘(?<username>.*)’ on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] Successfuly updated by ‘(?<username>.*)’ on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] Update by ‘(?<username>.*)’ failed on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] A scan was performed on client (?<clientname>.*) \[(?<clientip>.*)\] by ‘(?<username>.*)’. Result='(?<result>.*)’, Scanned files='(?<filecount>\d+)’, Threats found='(?<threatcount>\d+)’, Start Date='(?<scanstart>.*)’, End Date='(?<scanend>.*)’

(?<logtype>\S+) \[(?<clienttime>.*)\] (?<action>.*) connection on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*). \[Direction='(?<direction>.*)’, Remote Address='(?<remoteip>.*):(?<remoteport>.*)’, Local Address=’:(?<localport>.*)’, Protocol='(?<ipprotocol>\d+)’\]

(?<logtype>\S+) \[(?<clienttime>.*)\] Device ‘(?<devicetype>.*)’ with ID ‘(?<deviceserial>.*)’ connected and was ‘(?<action>.*)’ on client (?<clientname>.*) \[(?<clientip>.*)\], user (?<consoleusername>.*)

(?<logtype>\S+) \[(?<clienttime>.*)\] IDS detected ‘(?<attackname>.*)’ on (?<direction>.*) connection (from|to) (?<remoteip>.*) on client (?<clientname>.*) \[(?<clientip>.*)\] user (?<consoleusername>.*) and (?<action>.*) it

 

  3 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>