Fixit

96 Points

Medium

Image by tryhackme.com

Image by tryhackme.com

Fix the log parsing issue and analyze the logs in Splunk.
Updated 25. March 2024

Content:

Intro Fix Event Boundaries Extract Custom Fields

TryHackMe provides a fantastic introduction to the SIEM Splunk. This challenge room helped me feel confident in extracting fields from log sources.

This challenge room can be found on TryHackMe

Fix Event Boundaries

Ensuring that each event is one record

Because of a linebreak in the log entries, Splunk interprets each log entry as two log entries. A stanza must be used to fix this issue.

Create the following file:

/opt/splunk/etc/apps/fixit/default/props.conf 
[network_logs]
BREAK_ONLY_BEFORE = \[Network-log\]

Extract Custom Fields

Making the ingested log searchable

Now that Splunk interprets each log as a single log entry instead of two, you can extract fields from the log.

Start by building a regex that puts each interesting data into a group, then give those groups a proper name. I used rege101.com to help me build the regex.

Create a file name transforms.conf and add the following:

/opt/splunk/etc/apps/fixit/default/transforms.conf 
[network_logs_custom_fields]
REGEX = \[Network-log\]: User named ([\w\s]+) from ([\w\s]+) department accessed the resource (.+) from the source IP (\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) and country \n(.+) at:
FORMAT = Username::$1 Department::$2 Resource::$3 SourceIP::$4 Country::$5
WRITE_META = true

You create groups by putting text string within a "()". Each group can then be accessed with $1,$2,$3 etc. To give each group a name, use the following syntax:

<GroupName>::<GroupID>

In my example, the Department is in group 2.

When the transforms are created, you can add them to your props.conf file

/opt/splunk/etc/apps/fixit/default/props.conf 
[network_logs]
BREAK_ONLY_BEFORE = \[Network-log\]
TRANSFORM-logs = network_logs_custom_fields

Finally make Splunk index the fields to make them searchable by creating the file fields.conf and adding the following:

/opt/splunk/etc/apps/fixit/default/fields.conf 
[Username]
INDEXED = true

[Department]
INDEXED = true

[Resource]
INDEXED = true

[SourceIP]
INDEXED = true

[Country]
INDEXED = true

Restart Splunk and you should be able to search through the log using SPL (Search Processing Language). Please note that you probably should wait 30 minutes after the room box starts before all the variations are logged.

Happy log-parsing! 🎉