This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Need a little help with a syslog regex

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Need a little help with a syslog regex

FPHorakIT
L0 Member

‎03-02-2016 05:58 AM

I am trying to get the regex for a syslog feed from my mail server right but am having problems. Here is a sample of the log feed:

[01/Mar/2016 10:51:13] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:14] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:14] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:15] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:15] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:16] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:17] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:17] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:18] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:19] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:19] HTTP/WebDav: User aweidner@fphorak.com authenticated from IP address 192.168.2.155; Mail/2104 CFNetwork/720.5.7 Darwin/14.5.0 (x86_64)
[01/Mar/2016 10:51:20] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:22] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0
[01/Mar/2016 10:51:23] HTTP/CalDav: User rwhite@fphorak.com authenticated from IP address 192.168.2.175; Mac+OS+X/10.10.5 (14F1505) CalendarAgent/316.1
[01/Mar/2016 10:51:23] HTTP/CalDav: User mjeffrey@fphorak.com authenticated from IP address 70.194.5.126; target mailbox: mjeffrey@fphorak.com; iOS/9.2.1 (13D15) dataaccessd/1.0

 

I can see the log feed are arriving correctly but the regex that I am trying so far are not identifying that the entry is a successful authentication. I am simply searching for "authenticated" so it would seem to be very simple. The patterns for the user and the ip address are mostly taken from the "User ID integration with Syslog" tech doc. Searching using the patterens in a text editor are successful. Any insight as to where I am going wrong would be very welcome! This is driving me nuts!

0 Likes Likes
1 REPLY 1

Lucky
L5 Sessionator

‎03-02-2016 01:52 PM

Hello,

 

per article in KB and if I remember well, you could try with Field Identifiers of something like:

Event String: HTTP/WebDav:

Username Prefix: User\s

Username Delimiter: \s

Address Prefix: address\s

Address Delimiter: ;

 

Try to replace \s with #011 or blank space if above delimiter doesn't work. Delimiter \s should work in the case of such configuration on firewall, for UserID Agent you should use blank space instead (as explained in above linked article). I also used WebDav for Event string, I am not sure which one works better for you, maybe you still need to use regex to match something like "HTTP/WebDav ...... dataaccessd/1.0" or whatever to single out just a proper logon string. In the worst case, try to replace your characters with hex values.

 

If my example doesn't work out and you still have lots of struggle, can you explain/copy the example you were trying with? I've set a watch on the topic, I'll test it.

 

Best regards,

Luciano

0 Likes Likes
  • 1902 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks