Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Combining Data from Separate Event Logs

I recently encountered logs from a Buffalo Wireless Access Point. DHCP leases and MAC address associations generate logs like this:

AP00160114430C : WIRELESS: wl0: 11g : Associated User - 00:04:23:76:34:20
AP00160114430C udhcpd: sending ACK to 192.168.11.2

The log identifying the remote MAC address is in one line and the log identifying the remote IP address is in a second line. Most of the TASL correlation scripts for the Log Correlation Engine expect to derive MAC/IP pairs from single logs lines like those of the DHCP daemon shown below:

Mar 24 11:07:46 util04 dhcpd: DHCPREQUEST for 10.9.102.183 from 00:c0:4f:0c:27:14 via eth0

Scripts like the user_to_mac.tasl expect to parse DHCP logs that contain both the MAC address and the IP address on the same line. So how can we take the logs from the Buffalo WAP and generate something that looks like a log from a typical DHCP daemon?

The buffalo_dhcp_one_line.tasl script is a very simple TASL that subscribes to events from the accesspoint_buffalo.prm library. It "keeps state" on the last MAC address in the "Associated User" logs encountered. Those are normalized to event ID 400. When an ACK (event ID 402) or OFFER DHCP (event ID 403) log is encountered, a new log is generated that looks like this:

DHCPREQUEST for 192.168.11.2 from 00:04:23:76:34:20 via buffalo_one_line.tasl script

The MAC address is added from the MAC address seen in the last "Associated user" event. The format of this log is very similar to that of the logs generated by the regular DHCP daemon. This is readily processed by the dhcp.prm plugin library.

Below is a Security Center screen shot of the events from Buffalo WAP being processed by the accesspoint_buffalo.prm library and the buffalo_dhcp_one_line.tasl script.

Double_log_example

The two DHCP-Request events were generated by the TASL script while processing the BuffaloWAP-Associated_MAC and BuffaloWAP-DHCP_Address_ACK events.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security