Need a little help with a syslog regex

L0 Member

Need a little help with a syslog regex

I am trying to get the regex for a syslog feed from my mail server right but am having problems. Here is a sample of the log feed:

[01/Mar/2016 10:51:13] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:14] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:14] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:15] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:15] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:16] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:17] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:17] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:18] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:19] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:19] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:20] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:22] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:23] HTTP/CalDav: User rwhite@fphorak.com authenticated from IP address 192.168.2.175; Mac+OS+X/10.10.5 (14F1505) CalendarAgent/316.1
[01/Mar/2016 10:51:23] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0

 

I can see the log feed are arriving correctly but the regex that I am trying so far are not identifying that the entry is a successful authentication. I am simply searching for "authenticated" so it would seem to be very simple. The patterns for the user and the ip address are mostly taken from the "User ID integration with Syslog" tech doc. Searching using the patterens in a text editor are successful. Any insight as to where I am going wrong would be very welcome! This is driving me nuts!

L5 Sessionator

Re: Need a little help with a syslog regex

Hello,

 

per article in KB and if I remember well, you could try with Field Identifiers of something like:

Event String: HTTP/WebDav:

Username Prefix: User\s

Username Delimiter: \s

Address Prefix: address\s

Address Delimiter: ;

 

Try to replace \s with #011 or blank space if above delimiter doesn't work. Delimiter \s should work in the case of such configuration on firewall, for UserID Agent you should use blank space instead (as explained in above linked article). I also used WebDav for Event string, I am not sure which one works better for you, maybe you still need to use regex to match something like "HTTP/WebDav ...... dataaccessd/1.0" or whatever to single out just a proper logon string. In the worst case, try to replace your characters with hex values.

 

If my example doesn't work out and you still have lots of struggle, can you explain/copy the example you were trying with? I've set a watch on the topic, I'll test it.

 

Best regards,

Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!