All Apps and Add-ons

regex for kaspersky logs

rashid47010
Communicator

kaspersky logs contains "\r\n" in logs. I can i write regex to consider it as new line. below is the sample log.

Mar xx 1xx:xx:xx 1xx.xxx.x0.xx0 CEF:0|KasperskyLab|SecurityCenter|10.5.1781|GNRL_EV_xxxx_ARCHxxE_xxxx|Password-protected archive detected|1|msg=Result: Password-protected\r\nUser: SxxxA\xxr_sales (Active user)\r\nObject: F:\xxup 1342xx\Dxxs\BACK UP\install_flx.exe/_js/language-tr.js\r\n rt=xxx0 dhost=Rxxxx dst=1x2.1x8.xx5.xx cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion filePath=F:\xxup 1342xx\Dxxs\BACK UP\install_flx.exe/_js/language-tr duser=Sss\ss_sales

firstly can I utilize "\r \n an " and secondly how can I write regex to assign fields names

Tags (1)
0 Karma

FrankVl
Ultra Champion

Replacing the \r\n in the msg field, can be done like this:

 | rex mode=sed field=msg "s/\\\r\\\n/\\r\\n/g"

Including your sample:

| makeresults 
| eval msg="Result: Password-protected\r\nUser: SxxxA\\xxr_sales (Active user)\r\nObject: F:\\xxup 1342xx\\Dxxs\\BACK UP\\install_flx.exe/_js/language-tr.js\r\n"
| rex mode=sed field=msg "s/\\\r\\\n/\\r\\n/g"
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

You can match carriage return/new line like so: [\r\n]+ also note that \s+ will also match new lines.

Since this looks like a CEF format event, I would use a regex like these ones: https://github.com/automine/TA-cef_template/blob/master/default/transforms.conf

There is also a CEF app on Splunkbase that might work for you

0 Karma

rashid47010
Communicator

Hi,

I downloaded the cefapp. there are two transform parameters in props.conf.
the first one starts with "CEF and ends at Mar xx 1xx:xx:xx 1xx.xxx.x0.xx0 CEF:0|KasperskyLab|SecurityCenter|10.5.1781|GNRL_EV_xxxx_ARCHxxE_xxxx|Password-protected archive detected|1 "
so I tried to continue onward but I stuck after because values are variable.

SO please confirm that the second transform is dealing with remaining message ?
if NOT then
how can I add the remaining fields under the same regex.

0 Karma

rashid47010
Communicator

I remember that someone advise me that we can skip specific field or the words and the regex was with {}.

but unable to find that.

0 Karma

rashid47010
Communicator
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...