topic Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses? in All Apps and Add-ons

TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy — Mon, 13 Jul 2015 13:02:41 GMT

For me I found that the TA_pfsense searches for openVPN connections was not returning all the VPN user log entries..

I discovered that it works just fine with a username, however some of my usernames are their e-mail addresses so contain @-. which were not part of the REGEX..

here's my updated REGEX entry "transforms.conf" file:

[openvpn_auth_ok]
CLEAN_KEYS = 0
FORMAT = user::$1 src::$2 vendor_action::$3
REGEX = :\s+([\w\@\-\.]+)/([^:]+):\d+\s+(MULTI_sva)

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

jeffland — Mon, 13 Jul 2015 13:28:21 GMT

Pretty sure that as it is, the markup messed up your regex. Please format it as code.

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy — Mon, 13 Jul 2015 13:36:38 GMT

Sorry about that.. just pasting quickly... \w only matches on A-Za-z0-9, so misses the '@', '-', '.' which can be seen in e-mails..

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

jeffland — Mon, 13 Jul 2015 13:59:47 GMT

Thats better. Thanks for sharing 🙂

Now, from what I've seen usernames can usually contain any non-whitespace characters, so maybe \S is easier than giving a long, explicit list of allowed characters.

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy — Mon, 13 Jul 2015 14:17:13 GMT

Yup that's much better! 🙂

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy — Mon, 13 Jul 2015 14:18:27 GMT

BTW.. https://regex101.com is a great site to test out your REGEX

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

jeffland — Mon, 13 Jul 2015 14:22:18 GMT

That's what I always recommend as well.

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

ppablo — Tue, 14 Jul 2015 00:07:18 GMT

Hi @FireESplunkGuy

Did you create this post to share the solution that worked for you, or did you actually have a question you needed help with? If you were just posting this out of the kindness of your heart, don't forget to actually post the official answer in the "Enter your answer here..." box at the bottom of this page and click "Accept" on the answer after it has been posted. That will show the post as actually resolved and can prove useful to other users when searching this site. Once you do that, I'll be sure to upvote it 😉 Thanks!

Patrick

Re: TA-pfsense: How to update the transforms.conf regex to parse openVPN logs where the usernames are email addresses?

FireESplunkGuy — Tue, 14 Jul 2015 07:25:15 GMT

So just to follow up...

changing the \ w to a \ S allows for much cleaner username capture and covers usernames which might be e-mail addresses.

 [openvpn_auth_ok]
 CLEAN_KEYS = 0
 FORMAT = user::$1 src::$2 vendor_action::$3
 REGEX = :\s+(\S+):\d+\s+(MULTI_sva)