The log data is key value pair. Even though Splunk is good to handle key value we had trouble creating Splunk quires. We used below logic to remove all <k>/<v> entries. Now Splunk search is easier to handle. Hope this help.
if ( $key eq "description" ) {
my $v = $ref->{$key};
$v =~ s/<\/k><v>/=/g; # Replace </k><v> with =
$v =~ s/<\/v><k>/,/g; # Replace </v><k> with ,
$v =~ s/<k>/,/g; # Replace <k> with ,
$v =~ s/<\/v>//g; # Replace </v> with null
$v =~ s/^,//; # Replace Beginning of ,description , with null
Original Message:
Sent: 08-17-2020 10:21 AM
From: Pedro Fernandez
Subject: CA PAM log parsing
Thank you, this is what I needed.
Regards,
Original Message:
Sent: 08-16-2020 04:01 PM
From: Nikola Milosavljevic
Subject: CA PAM log parsing
Hi Pedro,
There is this document regarding the Syslog format if it helps: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-4-1/reference/messages-and-log-formats/syslog-message-formats.html
Best regards,
------------------------------
Nikola Milosavljevic
Security Consultant
Original Message:
Sent: 08-14-2020 04:04 PM
From: Pedro Fernandez
Subject: CA PAM log parsing
Do you know if there is any documentation related to PAM logs? We are trying to parse them into a SIEM (which is not splunk) and any documentation that can help us parse that information would be a great help.
Thank you,