Custom Log Prefix¶
If you wish to utilize custom log prefixes for use cases, additional setup will be needed for this add-on to properly identify events.
This add-on uses the following to map events to their appropriate CIM-compliant action. The action field is important for the Network Traffic data model. If the log prefix does not match your events, the action will be "unknown."
Log Prefix | Action |
---|---|
*allow* | allowed |
*block* | blocked |
*drop* | blocked |
*accept* | allowed |
*reject* | blocked |
*permit* | allowed |
*deny* | blocked |
*denied* | blocked |
the wildcard character (*) is used to find any match with the contained value in the log_prefix
field.
Use your own log prefix¶
It is recommended to use the log prefixes in the above table somewhere in your custom log prefix so no extra work is needed.
Example
"allow_ssh_connections" or "telnet_drop"
Add new log prefix definition¶
If the above table defaults do not work for your use case, another lookup can be created with the correct values to fit your situation.
Why use a new lookup file?
If the existing lookup file is used, it will be overwritten during future updates. To preserve changes, a new lookup file must be created.
It may be easiest to to utilize the linux command line to copy the lookup file, iptables_action.csv
located in the lookups
directory within this add-on.
From there you can update the file to fit your use case.
Updating lookup example
It is recommended to have the action field mapped to the Network Traffic datamodel action field (allowed, blocked, teardown). Wrapping the log_prefix
field in wildcards (*) gives the flexibility of not having to specify exact values.
Update transforms.conf¶
After the custom lookup file has been updated, the transforms.conf file will need to be updated to the correct filename.
Within the add-on, create a new file in local/transforms.conf
(you may have to create the local directory). Next add the following to the file:
[iptables_action_lookup]
# If you followed the above example you would
# set this to "iptables_custom_actions.csv" (without quotations).
filename = <your_new_file.csv>
Once the change has been made it may take a few minutes for the changes to take effect. If you don't want to wait you can append | extract reload=true
to your Splunk search to force a reload of the configurations. You should now see the correct actions being populated and no longer will show "unknown."