topic Re: Regex evaluating new line carriage ? in Automation/API Discussions

Regex evaluating new line carriage ?

smalayappan — Sat, 14 Mar 2015 01:08:17 GMT

I have a Splunk server that logs all Acitve Directory authentication events on my network. I have set up a syslog feed from the Splunk server to the Palo Alto. On the Palo Alto, I have created a syslog filter and added the Splunk as a User-ID syslog server.

The problem I have is that Splunk sends each logon event as a single syslog entry which contains carriage returns and new lines (\r and \n). From what I can tell, the Palo Alto to expects to receive each user/IP pair in a single line. This means that I cannot parse the syslog to extract the info as user ID and IP are on different lines within a single syslog entry. Any thoughts on this will be of much assistance to me

Thank you. Ram.

Re: Regex evaluating new line carriage ?

pulukas — Tue, 17 Mar 2015 20:23:03 GMT

Can you show a sample log entry that will be parsed?

I assume you have seen these general instructions on how to create the parser for syslog here. Are the new line CR used as delimiters for a particular field?

How to Configure a Custom Syslog Sender and Test User Mappings

Re: Regex evaluating new line carriage ?

smalayappan — Tue, 17 Mar 2015 21:37:55 GMT

Hi Steven, Thank you for helping me on this query, I have followed the document and still no success. I also tried \n or \s for a new line carriage. The case no# 301775 is for your reference, the attached pcap file is the actual output from the customer.

Re: Regex evaluating new line carriage ?

pulukas — Wed, 18 Mar 2015 10:20:37 GMT

Glad to hear you have a support engineer working the case. I'm just a PA customer, so I don't have access that system. But I'm sure if support has a pcap of the logs a good parser will be coming shortly.

And support for Splunk in user-id will be a big win.