topic Re: How can I change hostname in log files? in Getting Data In

How can I change hostname in log files?

riqbal — Sun, 12 Aug 2018 11:26:37 GMT

I am trying to change the host name. the name is from the log files.

Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:

the host name is always before ASM:

I tried to change it through transforms.conf but host name is not changing.below is my transforms.conf file
transforms.conf

[host_name]
SOURCE_KEY = _raw
REGEX = \s(\w+.\w+.\w+.\w+) ASM:$
FORMAT = host::$1
DEST_KEY =  MetaData:Host

props.conf

[f5xxx]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
TIME_PREFIX = x0x.xx.x.xx
category = Custom
pulldown_type = true
TRANSFORMS-register = host_name

How can I change the hostname?
Secondly, if there is a problem in my regex, how can I identify that there is a problem? Any clue from log file?

Re: How can I change hostname in log files?

martin_mueller — Sun, 12 Aug 2018 11:49:09 GMT

Does your log event end with ASM:? If not, remove the dollar sign from the regex as that would stop the regex from matching.

Side note 1, to match literal dots use \. instead of . that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+.
Side note 3, anchoring your regex on ASM: after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.

Re: How can I change hostname in log files?

riqbal — Tue, 29 Sep 2020 20:50:59 GMT

Hi Martin,

I am stuck at side note 3:
my complete event is below:

Sep 20 11:13:18 1x.xx.xx.1xx0 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","xxxx4520",,"GET /Content/Images/ixx_logo01_module02.gif HTTP/1.1\r\nHost: www.xxxxk.com\r\nUser-Agent: sxx/1.0x6264944] UP.

Please advise.

Re: How can I change hostname in log files?

martin_mueller — Sun, 12 Aug 2018 12:51:29 GMT

So... your hostname replacement is working now? All side notes don't contribute to correctness, tackle them after getting the hostname change to work as I've said in the side notes.

Your complete event says my initial guess was accurate, your event doesn't end with ASM:. Remove the dollar sign.

Re: How can I change hostname in log files?

riqbal — Sun, 12 Aug 2018 13:04:24 GMT

yet not successfull.

My regex is folowing:

\s(\S+) ASM:

ASM: is not a part of hostname.
hostname is "ac.dc1.buttercomom.com "
can you please write down the complete transforms.conf file includeing regex. I am missing something

Re: How can I change hostname in log files?

493669 — Sun, 12 Aug 2018 13:28:17 GMT

As per @martin_mueller comment can you try below:
transforms.conf

[host_name]
REGEX = ^.{44}(\S+)\sASM
FORMAT = host::$1
DEST_KEY = MetaData:Host

here I am escaping first 44 character(timestamp) and then matching for host name

Re: How can I change hostname in log files?

serjandrosov — Sun, 12 Aug 2018 20:01:50 GMT

\w+\s+\d+\s+\d+:\d+:\d+\s+[^\s]+\s\w+\s+\d+\s+\d+:\d+:\d+\s+([^\s]+)

It looks not elegant but it takes only 26 steps and backward matching safe.
https://regex101.com/r/1xLXd0/2