26 строки
1.6 KiB
Plaintext
26 строки
1.6 KiB
Plaintext
// KQL Squid Access Logs Parser
|
|
// Last Updated Date: July 11, 2019
|
|
// Squid version 4.7
|
|
//
|
|
// Parser Notes:
|
|
// 1. This parser works against the above mentioned squid version, it may need updates if squid is updated with new events or schema changes.
|
|
// 2. This parser presumes that squid access logs are being logged to system syslog rather than being collected as a custom log source.
|
|
// 3. This parser does not parse every field in the squid access logs but instead parsers those fields most applicable to security analysis
|
|
// 4. This query parser the default squid log format is being used.
|
|
//
|
|
// Usage Instruction :
|
|
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. squid_parser).
|
|
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
|
//
|
|
//
|
|
Syslog
|
|
| where ProcessName contains "squid"
|
|
| extend URL = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)",3,SyslogMessage),
|
|
SourceIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))",2,SyslogMessage),
|
|
Status = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))",1,SyslogMessage),
|
|
HTTP_Status_Code = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})",8,SyslogMessage),
|
|
User = extract("(CONNECT |GET )([^ ]* )([^ ]+)",3,SyslogMessage),
|
|
RemotePort = extract("(CONNECT |GET )([^ ]*)(:)([0-9]*)",4,SyslogMessage),
|
|
Domain = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)",3,SyslogMessage)
|
|
| extend TLD = extract("\\.[a-z]*$",0,Domain)
|