Have you ever searched for a Splunk app or TA and came up empty? We have too... Not to worry though, with a little parsing and some dashboarding we should be able to create visibility where there may not be much previously. This was exactly the case when we tried to parse AirWatch logs (https://www.air-watch.com/).
Figure 1: At the time of writing this article, no app or TA existed for airwatch. |
If you have this same situation, hopefully we can help you too. This is the process we followed along with the regex used and the final dashboard produced. As a bonus, not only will we give you our regex that we used, but also the dashboard code at the end of the article.
|
Raw Log
Mar 15 07:43:45 airwatchhost Mar 15 13:43:45 AirWatch AirWatch Syslog Details are as follows Event Type: DeviceEvent: SecurityInformationConfirmed
User: sysadmin
Enrollment User: TLEE
Event Source: Device
Event Module: Devices
Event Category: Command
Event Data:
Device Friendly Name: TLEE iPhone iOS 12.1.0 GRY9
Fields we need to parse
- Event Type
- Event
- User
- Enrollment User
- Event Source
- Event Module
- Event Category
- Event Data
- Device Friendly Name
Regular Expression Needed
There may be more graceful ways to parse these logs, but this seemed to work for us. Go to Settings > Fields > Field Extractions > New Field Extraction. For the fields use the following:- Select the app
- Name: All-Airwatch-Fields
- Select the sourcetype for airwatch data
- Inline
- Extraction: Copy and paste what we have below
Event\sType:\s(?P<EventType>.*?)\sEvent:\s(?P<Event>.*?)\sUser:\s(?P<User>.*?)\sEnrollment\sUser:\s(?P<EnrollmentUser>.*?)\sEvent\sSource:\s(?P<EventSource>.*?)\sEvent\sModule:\s(?P<EventModule>.*?)\sEvent\sCategory:\s(?P<EventCategory>.*?)\sEvent\sData:\s(?P<EventData>.*?)\sDevice\sFriendly\sName:\s(?P<DeviceFriendlyName>.*)
You should not need to restart Splunk, but give it 5 minutes and search with your index and sourcetype again in Verbose mode and the fields should now be parsed.
Conclusion
Even though we did not have a Splunk TA or App to help create visibility, we did this ourselves using the flexibility provided within Splunk. We hope this article helped other save time. If it helped or even if it did not work, feel free to leave a comment below. Happy Splunking!Dashboard Code
The following dashboard assumes that the appropriate logs are being collected and sent to Splunk. Additionally, the dashboard code assumes an index of airwatch. Feel free to adjust as necessary. Splunk dashboard code provided below:
<form>
<label>Airwatch</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="wild">
<label>Wildcard Search</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Event Count</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | stats count</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="drilldown">all</option>
</single>
</panel>
<panel>
<table>
<title>Top Event</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 Event</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel>
<table>
<title>Top EventModule</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 EventModule</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
<panel>
<table>
<title>Top Enrollment User</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 EnrollmentUser</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel>
<table>
<title>Top Device Friendly Name</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | top limit=0 DeviceFriendlyName</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
<row>
<panel>
<chart>
<title>Top Event over Time</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | timechart count by Event</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<chart>
<title>Top Enrollment User over Time</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName | timechart count by EnrollmentUser</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Details</title>
<search>
<query>index=airwatch $wild$ | table _time, EventType, Event, User, EnrollmentUser, EventSource, EventModule, EventCategory, EventData, DeviceFriendlyName</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
What sourcetype did you use?
ReplyDeleteIn this case, the sourcetype is your choice. Since we did not have a TA and we were parsing the fields ourselves, we could make up an arbitrary sourcetype. If a TA is eventually developed, you will want to use the sourcetype from that TA. I hope that helps.
ReplyDeleteHow did you actually ingest the AirWatch data?
ReplyDeleteIt looks like VMWare may have moved the previous syslog link we posted during their rebranding efforts.
Deletehttps://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Legacy_Analytics/GUID-AWT-SYSLOGOVERVIEW.html
Hi Tony,
ReplyDeleteThanks but could you please share how you have onboarded AirWatch data into Splunk? I mean how you integrated it with Splunk as the link you have shared contains huge chunk of pdfs but nothing seems related to splunk integration
Sure thing, syslog integration won't be specific to Splunk since nearly any SIEM can receive and process syslog traffic. Where exactly are you getting stuck? Are you stuck on opening a port in Splunk to receive the data or stuck on finding where in Airwatch to configure the syslog send settings?
DeleteHi Tony,
ReplyDeletei was wondering if you came across some interesting security use cases with regards to air-watch.
Thanks in advanced!
Hello Aner,
DeleteSure, take a look at the screenshot at the start of the article. The sample dashboard we created provides some Airwatch statistics on users and devices within MDM. This data could be useful during a rollout to confirm successful MDM enrollment. It could also be useful to know which users are associated with various devices. We provided the most common events we were seeing which may help in gaining an understanding of the possibilities. If you come up with more, please feel free to post back and share them.
Good Day Tony
ReplyDeleteI have a similar problem.
I have Achieved in my goal to pull data in from air watch but it looks like the HTML java script.
I would just like to know how you are pulling the data into splunk(HEC, REST API?)
Did you try sending syslog? https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/Legacy_Analytics/GUID-AWT-SYSLOGOVERVIEW.html
DeleteIs there anyway to use HEC Endpoint to ingest the data? I have tried and it says my syslog url is invalid.
ReplyDeleteUnfortunately we did not try HEC. Hopefully someone else on this thread did? If so, please chime in. Thanks!
DeleteWhat log format does Airwatch come in?
ReplyDeleteThis was a great help. We have an issue that the syslog data is coming in with out spacing between the headers and the previous data field. makes our extractions a bit iffy.
ReplyDeleteI wonder if it is an issue with the syslog receiver config? Might also need to tell Splunk how to identify the start of the packet using the date? For example: Mar 15 07:43:45
DeleteThat would help with spacing issues.
Tony, thanks for the information on Syslog. I am new to AirWatch and am curious if you have explored options to poll endpoint device information via an AirWatch API that would ultimately be sent to Splunk?
ReplyDeleteSure thing. Unfortunately, I have not tried out the API. Additionally, I do not have access to the Airwatch system anymore to experiment further. I try to blog on the various data feeds while I have access to systems and this one has been a while. Sort of surprised there is no Splunk app and TA by now. Sometimes my articles beat the official apps and TAs by a little bit, but this one is still beating Airwatch's efforts 2 years later. :-| Oooomph.
Delete