Hi All,
I wish to create a regex that should work with multiple log format
using 2 type log format.
1)
log format:
5 auth_mechanism: SSO_ISE auth group
[syslog_pass1]
regex =(?P\s+[(\S+)])(?P(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1 cust_field::$2
2)
In second log format , one new field(proxy_id) is added in between user_agent ad cust_field.
Log Format:
5 3 auth_mechanism: SSO_ISE auth group
[syslog_pass2]
regex =(?P\s+[(\S+)])(?P\s+[(\S+)])(?P(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1 proxy_id::$2 cust_field::$3
we wrote 2 regex for different log format.but field extration is not happening properly
if log is coming in this log format: 5 auth_mechanism: SSO_ISE but so i am getting field value for user_agent is 5 , proxy_id is a , cust_field is auth_mechanism: SSO_ISE.
how to correct the regex for getting correct value of field ?
↧