kaspersky logs contains "\r\n" in logs. I can i write regex to consider it as new line. below is the sample log.
Mar xx 1xx:xx:xx 1xx.xxx.x0.xx0 CEF:0|KasperskyLab|SecurityCenter|10.5.1781|GNRL_EV_xxxx_ARCHxxE_xxxx|Password-protected archive detected|1|msg=Result: Password-protected\r\nUser: SxxxA\xxr_sales (Active user)\r\nObject: F:\xxup 1342xx\Dxxs\BACK UP\install_flx.exe/_js/language-tr.js\r\n rt=xxx0 dhost=Rxxxx dst=1x2.1x8.xx5.xx cs2=KES cs2Label=ProductName cs3=11.0.0.0 cs3Label=ProductVersion filePath=F:\xxup 1342xx\Dxxs\BACK UP\install_flx.exe/_js/language-tr duser=Sss\ss_sales
firstly can I utilize "\r \n an " and secondly how can I write regex to assign fields names
Replacing the \r\n
in the msg field, can be done like this:
| rex mode=sed field=msg "s/\\\r\\\n/\\r\\n/g"
Including your sample:
| makeresults
| eval msg="Result: Password-protected\r\nUser: SxxxA\\xxr_sales (Active user)\r\nObject: F:\\xxup 1342xx\\Dxxs\\BACK UP\\install_flx.exe/_js/language-tr.js\r\n"
| rex mode=sed field=msg "s/\\\r\\\n/\\r\\n/g"
You can match carriage return/new line like so: [\r\n]+
also note that \s+
will also match new lines.
Since this looks like a CEF format event, I would use a regex like these ones: https://github.com/automine/TA-cef_template/blob/master/default/transforms.conf
There is also a CEF app on Splunkbase that might work for you
Hi,
I downloaded the cefapp. there are two transform parameters in props.conf.
the first one starts with "CEF and ends at Mar xx 1xx:xx:xx 1xx.xxx.x0.xx0 CEF:0|KasperskyLab|SecurityCenter|10.5.1781|GNRL_EV_xxxx_ARCHxxE_xxxx|Password-protected archive detected|1 "
so I tried to continue onward but I stuck after because values are variable.
SO please confirm that the second transform is dealing with remaining message ?
if NOT then
how can I add the remaining fields under the same regex.
I remember that someone advise me that we can skip specific field or the words and the regex was with {}.
but unable to find that.
the post https://answers.splunk.com/answers/607697/cef-logs-parsing-for-enterprise-security.html
is relevant to my question.