Multiline FTP log

ngvella · ‎02-03-2015

I've got windows FTP logs that are multiline that look like:

00:00:10 127.0.0.1  [57708]USER 123456 331 0 0 0 0 FTP
00:00:11 127.0.0.1  [57708]PASS - 230 0 0 0 1078 FTP
00:00:11 127.0.0.1  [57708]created /test.txt 226 0 0 11051 94 FTP
00:00:11 127.0.0.1  [57708]QUIT - 226 0 0 0 0 FTP
00:00:57 127.0.0.1  [57728]USER 123456 331 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]PASS - 230 0 0 0 1532 FTP
00:00:58 127.0.0.1  [57728]CWD inbox 250 0 0 0 0 FTP
00:00:58 127.0.0.1  [57728]CWD ~ 250 0 0 0 0 FTP
00:00:59 127.0.0.1  [57728]CWD / 250 0 0 0 16 FTP
00:00:59 127.0.0.1  [57728]QUIT - 250 0 0 0 0 FTP

the bracketed number is like the session ID so i want to group all of those as 1 event. I tried linebreaking my props.conf with the following but it doesn't seem to be working. It's indexing around 200 lines (multiple session IDs) as one event.

[sourcetype]
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE = (\d\d:\d\d:\d\d .* \w\[\d+\]USER)

richgalloway · ‎02-03-2015

The \w in the BREAK_ONLY_BEFORE line appears to be causing matches to fail.

---
If this reply helps you, Karma would be appreciated.

ngvella · ‎02-03-2015

Yeah i tested the regex out and it was definitely wrong, but i changed it to remove the \w and it's still indexing 257 lines per event.

Multiline FTP log

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7