I am trying to change the host name. the name is from the log files.
Sep 20 11:13:18 10.50.3.100 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:
the host name is always before ASM:
I tried to change it through transforms.conf but host name is not changing.below is my transforms.conf file
transforms.conf
[host_name]
SOURCE_KEY = _raw
REGEX = \s(\w+.\w+.\w+.\w+) ASM:$
FORMAT = host::$1
DEST_KEY = MetaData:Host
props.conf
[f5xxx]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
TIME_PREFIX = x0x.xx.x.xx
category = Custom
pulldown_type = true
TRANSFORMS-register = host_name
How can I change the hostname?
Secondly, if there is a problem in my regex, how can I identify that there is a problem? Any clue from log file?
Does your log event end with ASM:
? If not, remove the dollar sign from the regex as that would stop the regex from matching.
Side note 1, to match literal dots use \.
instead of .
that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+
.
Side note 3, anchoring your regex on ASM:
after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.
Does your log event end with ASM:
? If not, remove the dollar sign from the regex as that would stop the regex from matching.
Side note 1, to match literal dots use \.
instead of .
that matches any character.
Side note 2, you're constricting your host names to four levels / three dots - you probably want to match any non-space hostname by using \S+
.
Side note 3, anchoring your regex on ASM:
after your variable part is really bad for performance. After getting the hostname change to work, consider anchoring the regex at the beginning of the string, skipping over date-ip-date and then matching the next non-space part as the hostname.
So... your hostname replacement is working now? All side notes don't contribute to correctness, tackle them after getting the hostname change to work as I've said in the side notes.
Your complete event says my initial guess was accurate, your event doesn't end with ASM:
. Remove the dollar sign.
yet not successfull.
My regex is folowing:
\s(\S+) ASM:
ASM: is not a part of hostname.
hostname is "ac.dc1.buttercomom.com "
can you please write down the complete transforms.conf file includeing regex. I am missing something
As per @martin_mueller comment can you try below:
transforms.conf
[host_name]
REGEX = ^.{44}(\S+)\sASM
FORMAT = host::$1
DEST_KEY = MetaData:Host
here I am escaping first 44 character(timestamp) and then matching for host name
\w+\s+\d+\s+\d+:\d+:\d+\s+[^\s]+\s\w+\s+\d+\s+\d+:\d+:\d+\s+([^\s]+)
It looks not elegant but it takes only 26 steps and backward matching safe.
https://regex101.com/r/1xLXd0/2
Hi Martin,
I am stuck at side note 3:
my complete event is below:
Sep 20 11:13:18 1x.xx.xx.1xx0 Sep 20 11:13:15 ac.dc1.buttercomom.com ASM:"MONEYPAK_WEBAPP","MONEYPAK_CLASS","Blocked","Attack signature detected","xxxx4520",,"GET /Content/Images/ixx_logo01_module02.gif HTTP/1.1\r\nHost: www.xxxxk.com\r\nUser-Agent: sxx/1.0x6264944] UP.
Please advise.