The syslog messages we receive from the firewall have multiple formats. A limited sample is listed below
Apr 30 15:26:20 220.127.116.11 %ASA-4-313004: Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 18.104.22.168: no matching session
Apr 29 13:39:31 22.214.171.124 %ASA-6-605004: Login denied from 126.96.36.199/63508 to inside:188.8.131.52/ssh for user "dstrollo"
Apr 28 13:58:47 184.108.40.206 %ASA-3-710003: TCP access denied by ACL from 220.127.116.11/48986 to Internet:18.104.22.168/23
Our requirement is to be able to extract all the fields in these messages for our analysts.
My question is whether the configuration below will work. If it doesn't it may mess up the existing index. Any advice will be much appreciated.
In props.conf, I set up a basic search to extract the syslog message in each record. The results are listed below
Denied ICMP type=0, from laddr 10.11.20.59 on interface outside to 22.214.171.124: no matching session
Login denied from 126.96.36.199/63508 to inside:188.8.131.52/ssh for user "dstrollo"
TCP access denied by ACL from 184.108.40.206/48986 to Internet:220.127.116.11/23
The props.conf is listed below
NO_BINARY_CHECK = 1
pulldown_type = 1
BREAK_ONLY_BEFORE_DATE = false
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z
EXTRACT-syslog = \s(?[^\s]+)\s(?[^:]+:)\s(?.+)
Then I use different transforms to process each message type separately at search time
EXTRACT-syslog = "as above"
REPORT-SyslogMsg = SyslogMsg1, SyslogMsg2, SyslogMsg3
REGEX = "extract fields in Msg1"
REGEX = "extract fields in Msg2"
REGEX = "extract fields in Msg3"
It will work and even if it doesn't, because you are using the "REPORT-" directive (Search-time) instead of the "TRANSFORMS-" (or "EXTRACT-") directive (Index-time), it will not do any permanent modifications so there is no risk. Is there really missing backslashes for this transform or did you just mess up the markdown for it:
I would make sure each of your 3 REGEX strings contains the string literal text for each individual message variation to avoid false extractions (e.g. "ASA-4-313004", "ASA-6-605004", and "ASA-3-710003").
P.S. You do not need the "EXTRACT-syslog" more than once.