Friday, December 21, 2018

Parsing and Displaying Airwatch Data in Splunk

By Tony Lee

Have you ever searched for a Splunk app or TA and came up empty? We have too...  Not to worry though, with a little parsing and some dashboarding we should be able to create visibility where there may not be much previously. This was exactly the case when we tried to parse AirWatch logs (https://www.air-watch.com/).


Figure 1:  At the time of writing this article, no app or TA existed for airwatch.

If you have this same situation, hopefully we can help you too. This is the process we followed along with the regex used and the final dashboard produced. As a bonus, not only will we give you our regex that we used, but also the dashboard code at the end of the article.


Figure 2:  Final dashboard to display airwatch data


Raw Log

Mar 15 07:43:45 airwatchhost Mar 15 13:43:45 AirWatch AirWatch Syslog Details are as follows Event Type: Device
Event: SecurityInformationConfirmed
User: sysadmin
Enrollment User: TLEE
Event Source: Device
Event Module: Devices
Event Category: Command
Event Data: 
Device Friendly Name: TLEE iPhone iOS 12.1.0 GRY9

Fields we need to parse


  • Event Type
  • Event
  • User
  • Enrollment User
  • Event Source
  • Event Module
  • Event Category
  • Event Data
  • Device Friendly Name

Regular Expression Needed

There may be more graceful ways to parse these logs, but this seemed to work for us.  Go to Settings > Fields > Field Extractions > New Field Extraction.  For the fields use the following:

  • Select the app
  • Name:  All-Airwatch-Fields
  • Select the sourcetype for airwatch data
  • Inline
  • Extraction:  Copy and paste what we have below


Event\sType:\s(?P<EventType>.*?)\sEvent:\s(?P<Event>.*?)\sUser:\s(?P<User>.*?)\sEnrollment\sUser:\s(?P<EnrollmentUser>.*?)\sEvent\sSource:\s(?P<EventSource>.*?)\sEvent\sModule:\s(?P<EventModule>.*?)\sEvent\sCategory:\s(?P<EventCategory>.*?)\sEvent\sData:\s(?P<EventData>.*?)\sDevice\sFriendly\sName:\s(?P<DeviceFriendlyName>.*)

You should not need to restart Splunk, but give it 5 minutes and search with your index and sourcetype again in Verbose mode and the fields should now be parsed.

Conclusion

Even though we did not have a Splunk TA or App to help create visibility, we did this ourselves using the flexibility provided within Splunk. We hope this article helped other save time. If it helped or even if it did not work, feel free to leave a comment below. Happy Splunking!

Dashboard Code

The following dashboard assumes that the appropriate logs are being collected and sent to Splunk. Additionally, the dashboard code assumes an index of airwatch. Feel free to adjust as necessary. Splunk dashboard code provided below:


<form>
  <label>Airwatch</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time Range</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="wild">
      <label>Wildcard Search</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <title>Event Count</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | stats count</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="drilldown">all</option>
      </single>
    </panel>
    <panel>
      <table>
        <title>Top Event</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 Event</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top EventModule</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 EventModule</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Enrollment User</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 EnrollmentUser</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top Device Friendly Name</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 DeviceFriendlyName</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Top Event over Time</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | timechart count by Event</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top Enrollment User over Time</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | timechart count by EnrollmentUser</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Details</title>
        <search>
          <query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>


Posted by at 17 comments:
Labels: , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)