This post is about combining field extractions.
I am working with **Dell Defender Syslogs** and want to extract different types of messages.
But those Syslogs differ in length and content so **I have trouble building one regex to cover all**.
Also if you are using the OR statement you can't bind multiple parts to one field unless you rename it.
(REGEX ERROR MESSAGE: two named sub-patterns have the same name )
**This REGEX would cover all raws.**
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?.*)
**Message examples:**
Prefix: Oct 12 15:54:14 IP Oct 12 15:54:14 SERVERNAME SERVER_NAME:
1. Radius Request from IP:PORT Request ID: REQUEST_ID
2. Radius request: Access-Request for USER_NAME from IP:PORT through NAS:AccessNode Request ID: REQUEST_ID Session ID: SESSION_ID
3. Radius response: Authentication Acknowledged User-Name: USER_NAME, Request ID: REQUEST_ID Session ID: SESSION_ID
4. User USER_NAME authenticated with token TOKENNUMBER Session ID: SESSION_ID
5. Radius response: Access-Challenge User-Name: USER_NAME Request ID: 5 Session ID: SESSION_ID
6. Requesting response USER_NAME
7. Info: User USER_NAME found as user CN=USER NAME,OU=Windows 7,OU=Users,OU=ORGANIZATION_UNIT,OU=WHERE,DC=COUNTRY,DC=DOMAIN,DC=local Session ID: SESSION_ID
**What I need are Fields like this to enable proper filtering and search possibilities:**
Timestamp (Oct 2 15:54:11 OR Oct 12 15:54:11)
IP (x.x.x.x)
EventTime (Oct 2 15:54:11 OR Oct 12 15:54:11)
ServerName (SERVER_NAME)
Type (Radius Request, Radius request, Radius response, authenticated, Requesting response, Info)
Message (covering additional information)
UserName (USER_NAME)
RequestID (REQUEST_ID)
SessionID (SESSION_ID)
**Here are the regex that work for individual lines:**
1. Radius Request from IP:
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+) (?.*) (?\d+.\d+.\d+.\d+):(?\d+) Request ID: (?\w+)
2. Radius request: Access-Request
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+): (?\w+-\w+) \w+ (?\w+) \w+ (?\d+.\d+.\d+.\d+):(?\d+) through (?\w+:\w+) Request ID: (?\w+) Session ID: (?\w+)
3. Radius Response:
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+): (?\w+ \w+) User-Name: (?\w+), Request ID: (?\w+) Session ID: (?\w+)
4. User Authenticated:
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):User (?\w+) (?\w+) (?\w+ \w+ \w+) Session ID: (?\w+)
5. Radius response: Access-Challenge
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+): (?\w+-\w+) User-Name: (?\w+) Request ID: (?\w+) Session ID: (?\w+)
6. Requesting response
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+ \w+) (?\w+)
7. Info: User ...
(?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\d+\.\d+\.\d+\.\d+) (?[A-Z][a-z][a-z]( \w+| \w) \d+:\d+:\d+) (?\w+) (?\w+):(?\w+): User (?\w+) (?.*) Session ID: (?\w+)
**Questions:**
Is there a way to combine all 7(+ one that covers all) REGEX statements in one extraction? If so, what would it look like?
What would be your way to configure this kind of input?
Do I need to follow an order so one REGEX doesn't cover others by accident?
↧