Hello,

i searched few hours how to extract the RULE_NAME field from my Firewall logs without success.

RULE_NAME is at the end of the log line, between (). It can contain any characters, space, "-" or "_".

My problem comes from the fact that the RULE_NAME is sometimes finished by a 3 characters string i need to remove : "-00"

Here is my actual REGEX, but it does't works for the simple "Internal Policy" RULE_NAME : 

.*\s+\((?P<RULE_NAME>.*)?(-00)\)$

Here are original logs lines i need to match :

May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (DNS-01-proxy_user.out-00)
May 3 17:39:56 10.40.1.254 May 3 17:39:56 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow VLAN1-Lan-Trusted Firebox 69 udp 20 128 172.21.20.26 172.21.20.254 52481 53 msg="DNS Forwarding" src_user="yal@mycorp.lan" record_type="A" question="sync.srv.stackadapt.com" (Internal Policy)
May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (My super rule name with space DNS.out)

Any idea on how to ignore the "-00" suffix when present ?

thanks

Florent