rushriva
Родитель
a699efac7b
Коммит
cc3cbfdc0c
|
|
@ -22,11 +22,11 @@ Syslog
|
|||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPACK"
|
||||
| extend dhcpack = extract_all(@"(\s\w+\s(\S+))\sto\s(\S+)\svia\s(\S+)(\srelay\s(\S+))?(\slease-duration\s(\d+))?(\s\(([a-zA-Z]+)\))?(\suid\s(\S+))?", dynamic([1,2,3,4,5,6,7,8,9,10,11]), SyslogMessage)[0]
|
||||
| extend IPAddress = tostring(dhcpack[1]),
|
||||
Client_MAC_Address = tostring(dhcpack[2]),
|
||||
SrcMacAddr = tostring(dhcpack[2]),
|
||||
Interface = tostring(dhcpack[4]),
|
||||
Relay = tostring(dhcpack[5]),
|
||||
LeaseDuration = tostring(dhcpack[7]),
|
||||
Client_Hostname = tostring(dhcpack[3]),
|
||||
SrcHostname = tostring(dhcpack[3]),
|
||||
State = tostring(dhcpack[10]),
|
||||
Log_Type = "DHCPACK"
|
||||
| project-away SyslogMessage, dhcpack;
|
||||
|
|
@ -21,8 +21,8 @@ Syslog
|
|||
| where ProcessName == "dhcpd" and SyslogMessage has "bind"
|
||||
| extend dhcpbindupdate = extract_all(@"^\s?(\w+)\s\w+\s([0-9.]+)\sfrom\s(\S+)\s(\w+)\:\s(.*)", dynamic([1,2,3,4,5]), SyslogMessage)[0]
|
||||
| extend Log_Type = strcat(Type," ",tostring(dhcpbindupdate[0])),
|
||||
Dest_IP = tostring(dhcpbindupdate[1]),
|
||||
DvcIpAddr = tostring(dhcpbindupdate[1]),
|
||||
Source = tostring(dhcpbindupdate[2]),
|
||||
Action = tostring(dhcpbindupdate[3]),
|
||||
Message = tostring(dhcpbindupdate[4])
|
||||
DvcAction = tostring(dhcpbindupdate[3]),
|
||||
EventMessage = tostring(dhcpbindupdate[4])
|
||||
| project-away SyslogMessage, dhcpbindupdate;
|
||||
|
|
@ -21,9 +21,9 @@ Syslog
|
|||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPDISCOVER"
|
||||
| extend dhcpdiscover = extract_all(@"\w+\s((\S+)(\s\(\S+\))?)\s\w+\s(\S+)\sTransID\s([a-z0-9]+)\:?(\suid\s(\S+))?(\snetwork\s(\S+)\:)?\s?(.*)?", dynamic([1,2,3,4,5,6,7,8,9,10]), SyslogMessage)[0]
|
||||
| extend Log_Type = "DHCPDISCOVER",
|
||||
Client_MAC_Address = tostring(dhcpdiscover[0]),
|
||||
TransID = tostring(dhcpdiscover[4]),
|
||||
UID = tostring(dhcpdiscover[6]),
|
||||
SrcMacAddr = tostring(dhcpdiscover[0]),
|
||||
DhcpSessionId = tostring(dhcpdiscover[4]),
|
||||
SrcUserIdType = tostring(dhcpdiscover[6]),
|
||||
Network = tostring(dhcpdiscover[8]),
|
||||
Message = tostring(dhcpdiscover[9])
|
||||
EventMessage = tostring(dhcpdiscover[9])
|
||||
| project-away SyslogMessage, dhcpdiscover;
|
||||
|
|
@ -20,7 +20,7 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPEXPIRE"
|
||||
| extend dhcpexpire = extract_all(@"\w+\s(\S+)\s\w+\s(\S+)", dynamic([1,2]), SyslogMessage)[0]
|
||||
| extend Source_IP = tostring(dhcpexpire[0]),
|
||||
Dest_MAC_Address = tostring(dhcpexpire[1]),
|
||||
| extend SrcIpAddr = tostring(dhcpexpire[0]),
|
||||
DvcMacAddr = tostring(dhcpexpire[1]),
|
||||
Log_Type = "DHCPEXPIRE"
|
||||
| project-away SyslogMessage, dhcpexpire;
|
||||
|
|
@ -20,8 +20,8 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPINFORM"
|
||||
| extend dhcpinform = extract_all(@"\w+\s(\S+)\svia\s(\S+)\sTransID\s([a-z0-9]+)", dynamic([1,2,3]), SyslogMessage)[0]
|
||||
| extend Source_IP = tostring(dhcpinform[0]),
|
||||
| extend SrcIpAddr = tostring(dhcpinform[0]),
|
||||
Relay = tostring(dhcpinform[1]),
|
||||
TransID = tostring(dhcpinform[2]),
|
||||
DhcpSessionId = tostring(dhcpinform[2]),
|
||||
Log_Type="DHCPINFORM"
|
||||
| project-away SyslogMessage, dhcpinform;
|
||||
|
|
@ -20,13 +20,13 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPOFFER"
|
||||
| extend dhcpoffer = extract_all(@"\w+\s(\S+)(\s\w+\s((\S+)(\s\(\S+\))?))?\svia\s(\S+)(\srelay\s(\S+))?(\slease-duration\s(\d+))?(\soffered-duration\s(\d+))?(\sUID\s(\S+))?", dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13,14]), SyslogMessage)[0]
|
||||
| extend IPAddress = tostring(dhcpoffer[0]),
|
||||
Client_MAC_Address = tostring(dhcpoffer[3]),
|
||||
| extend SrcIpAddr = tostring(dhcpoffer[0]),
|
||||
SrcMacAddr = tostring(dhcpoffer[3]),
|
||||
Interface = tostring(dhcpoffer[5]),
|
||||
Relay = tostring(dhcpoffer[7]),
|
||||
LeaseDuration = tostring(dhcpoffer[9]),
|
||||
OfferedDuration = tostring(dhcpoffer[11]),
|
||||
Client_Hostname = tostring(dhcpoffer[4]),
|
||||
UID = tostring(dhcpoffer[13]),
|
||||
SrcHostname = tostring(dhcpoffer[4]),
|
||||
SrcUserIdType = tostring(dhcpoffer[13]),
|
||||
Log_Type = "DHCPOFFER"
|
||||
| project-away SyslogMessage, dhcpoffer;
|
||||
|
|
@ -25,8 +25,8 @@ Syslog
|
|||
PacketType = tostring(dhcpoption[1]),
|
||||
CircuitID = tostring(dhcpoption[3]),
|
||||
RemoteID = tostring(dhcpoption[4]),
|
||||
Dest_IP = tostring(dhcpoption[5]),
|
||||
Dest_MAC_Address = tostring(dhcpoption[6]),
|
||||
Message = tostring(dhcpoption[7]),
|
||||
DvcIpAddr = tostring(dhcpoption[5]),
|
||||
DvcMacAddr = tostring(dhcpoption[6]),
|
||||
EventMessage = tostring(dhcpoption[7]),
|
||||
State = tostring(dhcpoption[8])
|
||||
| project-away SyslogMessage, dhcpoption;
|
||||
|
|
@ -20,11 +20,11 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPRELEASE"
|
||||
| extend dhcprelease = extract_all(@"of\s(\S+)\sfrom\s((\S+)(\s\(\S+\))?)\svia\s(\S+)(\s\((\w+)\))?(\sTransID\s([a-z0-9]+)\s)?", dynamic([1,2,3,4,5,6,7,8,9,10,11,12]), SyslogMessage)[0]
|
||||
| extend IPAddress = tostring(dhcprelease[0]),
|
||||
Client_MAC_Address = tostring(dhcprelease[2]),
|
||||
Client_Hostname = extract(@'\((\S+)\)',1,tostring(dhcprelease[3])),
|
||||
| extend SrcIpAddr = tostring(dhcprelease[0]),
|
||||
SrcMacAddr = tostring(dhcprelease[2]),
|
||||
SrcHostname = extract(@'\((\S+)\)',1,tostring(dhcprelease[3])),
|
||||
Relay = tostring(dhcprelease[4]),
|
||||
TransID = tostring(dhcprelease[8]),
|
||||
DhcpSessionId = tostring(dhcprelease[8]),
|
||||
State = tostring(dhcprelease[6]),
|
||||
Log_Type= "DHCPRELEASE"
|
||||
| project-away SyslogMessage, dhcprelease;
|
||||
|
|
@ -20,6 +20,6 @@ Syslog
|
|||
| where ProcessName == "dhcpd" and SyslogMessage has "Removed"
|
||||
| extend dhcpremoved = extract_all(@"([\w\s]+)(from|on)\s(\S+)(\sto\s(\S+))?", dynamic([1,2,3,4,5]), SyslogMessage)[0]
|
||||
| extend Log_Type = strcat(Type," ",tostring(dhcpremoved[0])),
|
||||
Source = tostring(dhcpremoved[2]),
|
||||
Dest = tostring(dhcpremoved[4])
|
||||
SrcHostname = tostring(dhcpremoved[2]),
|
||||
DvcHostname = tostring(dhcpremoved[4])
|
||||
| project-away SyslogMessage, dhcpremoved;
|
||||
|
|
@ -20,12 +20,12 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "dhcpd" and SyslogMessage has "DHCPREQUEST"
|
||||
| extend dhcprequest = extract_all(@"for\s((\S+)(\s\(\S+\))?)\sfrom\s((\S+)(\s\(\S+\))?)\svia\s(\S+)(\sTransID\s([a-z0-9]+)\s)?(uid\s([a-z0-9:]+)|uid$|uid)?(\s\(([a-zA-Z]+)\)$)?", dynamic([1,2,3,4,5,6,7,8,9,10,11,12]), SyslogMessage)[0]
|
||||
| extend IPAddress = tostring(dhcprequest[1]),
|
||||
Client_MAC_Address = tostring(dhcprequest[4]),
|
||||
Client_Hostname = extract(@"\((\S+)\)",1,tostring(dhcprequest[5])),
|
||||
| extend SrcIpAddr = tostring(dhcprequest[1]),
|
||||
SrcMacAddr = tostring(dhcprequest[4]),
|
||||
SrcHostname = extract(@"\((\S+)\)",1,tostring(dhcprequest[5])),
|
||||
Relay = tostring(dhcprequest[6]),
|
||||
TransID = tostring(dhcprequest[8]),
|
||||
UID = tostring(dhcprequest[10]),
|
||||
DhcpSessionId = tostring(dhcprequest[8]),
|
||||
SrcUserIdType = tostring(dhcprequest[10]),
|
||||
State = tostring(dhcprequest[11]),
|
||||
Log_Type = "DHCPREQUEST"
|
||||
| project-away SyslogMessage, dhcprequest;
|
||||
|
|
@ -22,8 +22,8 @@ Syslog
|
|||
| extend dhcpsession = extract_all(@"\:?([0-9.]+)\,([a-zA-Z]+)\,([a-zA-Z0-9-]+)\,([a-z0-9:]+)\,([0-9]+)\,([0-9]+)\,([0-9]+)?\,([\w$\s]+)\,([0-9.]+)\,([0-9]+)\,([0-9-.]+)", dynamic([1,2,3,4,5,6,7,8,9,10,11]), SyslogMessage)[0]
|
||||
| extend Dest_IP = tostring(dhcpsession[0]),
|
||||
Signature = tostring(dhcpsession[1]),
|
||||
DNS_Hostname = tostring(dhcpsession[2]),
|
||||
Dest_MAC_Address = tostring(dhcpsession[3]),
|
||||
SrcHostname = tostring(dhcpsession[2]),
|
||||
DvcMacAddr = tostring(dhcpsession[3]),
|
||||
StartTime = tostring(dhcpsession[4]),
|
||||
EndTime = tostring(dhcpsession[5]),
|
||||
Network = tostring(dhcpsession[8]),
|
||||
|
|
|
|||
|
|
@ -20,13 +20,13 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "named" and SyslogMessage has "client"
|
||||
| extend dnsclient = extract_all(@"(\@[a-z0-9]+\s)?([0-9\.]+)\#(\d+)(\s\((\S+)\))?\:\s(?:view\s)?(\S+)?(?:\:\s)?((UDP|TCP)\:\s?)??query\:\s(\S+)\s(\S+)\s(\S+)(\sresponse:\s([A-Z]+))?\s(\S+)(.*)",dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15]), SyslogMessage)[0]
|
||||
| extend Client_IP = tostring(dnsclient[1]),
|
||||
Port = tostring(dnsclient[2]),
|
||||
Protocol = tostring(dnsclient[7]),
|
||||
QueryDomainName = tostring(dnsclient[8]),
|
||||
ClassName = tostring(dnsclient[9]),
|
||||
RecordType = tostring(dnsclient[10]),
|
||||
ResponseCode = tostring(dnsclient[12]),
|
||||
Flag = tostring(dnsclient[13]),
|
||||
Message = tostring(dnsclient[14])
|
||||
| extend SrcIpAddr = tostring(dnsclient[1]),
|
||||
SrcPortNumber = tostring(dnsclient[2]),
|
||||
NetworkProtocol = tostring(dnsclient[7]),
|
||||
DnsQuery = tostring(dnsclient[8]),
|
||||
DnsQueryClassName = tostring(dnsclient[9]),
|
||||
DnsQueryType = tostring(dnsclient[10]),
|
||||
DnsResponseCode = tostring(dnsclient[12]),
|
||||
DnsFlags = tostring(dnsclient[13]),
|
||||
EventMessage = tostring(dnsclient[14])
|
||||
| project-away SyslogMessage, dnsclient;
|
||||
|
|
@ -20,5 +20,5 @@ Syslog
|
|||
| where Computer in (datasource)
|
||||
| where ProcessName == "named" and SyslogMessage has "gss_accept_sec_context"
|
||||
| extend dnsgss = extract_all(@":\s(.*)", dynamic([1,2]), SyslogMessage)[0]
|
||||
| extend Message = tostring(dnsgss[0])
|
||||
| extend EventMessage = tostring(dnsgss[0])
|
||||
| project-away dnsgss, SyslogMessage;
|
||||
|
|
@ -21,13 +21,13 @@ Syslog
|
|||
| where ProcessName == "named" and SyslogMessage has "zone"
|
||||
| extend dnszone = extract_all(@"([a-z0-9\.\-]+)\/([A-Z]+)\:(\s[A-Z]+)?\s(\w+\s\w+)\s(for\s\'(\S+)?\':)?((\d+)\.?)?(\s(\with\s|(\d+)\sIN\s)([A-Z]+)\s)?(\(?serial\s(\d+)\)?)?(.*)", dynamic([1,2,3,4,5,6,7,8,9,10,11,12,13,14,15]), SyslogMessage)[0]
|
||||
| extend Zone = tostring(dnszone[0]),
|
||||
Action = tostring(dnszone[3]),
|
||||
Client_Hostname = tostring(dnszone[5]),
|
||||
TransID = tostring(dnszone[7]),
|
||||
DvcAction = tostring(dnszone[3]),
|
||||
SrcHostname = tostring(dnszone[5]),
|
||||
TransactionIdHex = tostring(dnszone[7]),
|
||||
Serial = tostring(dnszone[13]),
|
||||
TTL = tostring(dnszone[10]),
|
||||
RecordType = tostring(dnszone[11])
|
||||
DnsQueryType = tostring(dnszone[11])
|
||||
| extend dnszone_substring = extract_all(@"\s?([a-zA-Z0-9\.\-\_]+)\.\s(.*)", dynamic([1,2]),tostring(dnszone[14]))[0]
|
||||
| extend Host = tostring(dnszone_substring[0]),
|
||||
Message = tostring(dnszone_substring[1])
|
||||
| extend Src = tostring(dnszone_substring[0]),
|
||||
EventMessage = tostring(dnszone_substring[1])
|
||||
| project-away SyslogMessage, dnszone_substring, dnszone;
|
||||
Загрузка…
Ссылка в новой задаче