Regex for syslog User-ID not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Regex for syslog User-ID not working

L4 Transporter

Hi team,

 

We have the (Cisco & Ruckus) Wireless controllers forwarding SYSLOGS to the User-ID agent running on Windows 2012 server.

 

We want to use these syslog messages to create user-ip mappings. We tried with several different regex patterns but not having any luck. The UIA keeps showing the log as “- is not a valid IP”. I checked the regex matching at regex101.com as well and it seems to match there.

 

Sample logs:

 

*Dot1x_NW_MsgTask_6: Apr 20 14:08:01.947: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:28:5a:eb:44:d3:7e Base Radio MAC:58:97:bd:07:ca:30 Slot:0 User Name:jsimonson Ip Address:10.12.26.42 SSID:PSL-Main

*Dot1x_NW_MsgTask_2: Apr 20 14:08:01.855: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:bc:54:36:e8:76:c2 Base Radio MAC:18:8b:9d:c6:2e:d0 Slot:0 User Name:cmercer Ip Address:10.8.26.57 SSID:PSL-Main

*Dot1x_NW_MsgTask_2: Apr 20 14:08:01.855: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:bc:54:36:e8:76:c2 Base Radio MAC:18:8b:9d:c6:2e:d0 Slot:0 User Name:cmercer Ip Address:10.8.26.57 SSID:PSL-Main

*Dot1x_NW_MsgTask_7: Apr 18 09:29:15.861: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:c8:1e:e7:8b:d5:8f Base Radio MAC:18:8b:9d:f5:08:40 Slot:1 User Name:deanl Ip Address:10.8.26.55 SSID:PSL-Main

 

Regex filters we tried:

 

Event Regex: (Client\ Authenticated):{1} 
Username Regex: User\ Name:([a-zA-Z0-9.:]+|.+?(@)) 
Address Regex: Ip\ Address:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) 

 

Any advice/suggestion would be highly appreciated.

 

 

Thanks and Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
2 REPLIES 2

L7 Applicator

Hi Anurag

 

Are these log messages spitted into two lines or is this carriage return/new line added because of copy&past from your logs into live community?

If these are two lines in your logs: did you try "(Slot:{d}){1}" for event regex?

 

It all is on one line: try to simplify the regex string for the IP address to test. 

As you said your existing ip regex string looks absolutely correct - may be a bug?

 

Regards,

Remo

@Remo

 

I should have updated this. I resolved the issue. The regex we used were fine, the UIA wasn't. We tested and the same regex worked on Agentless, then upgraded the UIA and it worked there too. Turned out 7.x UIA wasn't working correctly in regard to Syslog parsing.

 

Thanks for your suggestion anyway 🙂

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
  • 3411 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!