The syslog messages we receive from the firewall have multiple formats. A limited sample is listed below
Apr 30 15:26:20 188.8.131.52 %ASA-4-313004: Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 184.108.40.206: no matching session
Apr 29 13:39:31 220.127.116.11 %ASA-6-605004: Login denied from 18.104.22.168/63508 to inside:22.214.171.124/ssh for user "dstrollo"
Apr 28 13:58:47 126.96.36.199 %ASA-3-710003: TCP access denied by ACL from 188.8.131.52/48986 to Internet:184.108.40.206/23
Our requirement is to be able to extract all the fields in these messages for our analysts.
My question is whether the configuration below will work. If it doesn't it may mess up the existing index. Any advice will be much appreciated.
In props.conf, I set up a basic search to extract the syslog message in each record. The results are listed below
Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 220.127.116.11: no matching session
Login denied from 18.104.22.168/63508 to inside:22.214.171.124/ssh for user "dstrollo"
TCP access denied by ACL from 126.96.36.199/48986 to Internet:188.8.131.52/23
It will work and even if it doesn't, because you are using the "REPORT-" directive (Search-time) instead of the "TRANSFORMS-" (or "EXTRACT-") directive (Index-time), it will not do any permanent modifications so there is no risk. Is there really missing backslashes for this transform or did you just mess up the markdown for it:
I would make sure each of your 3 REGEX strings contains the string literal text for each individual message variation to avoid false extractions (e.g. "ASA-4-313004", "ASA-6-605004", and "ASA-3-710003").
P.S. You do not need the "EXTRACT-syslog" more than once.