Hello,
i searched few hours how to extract the RULE_NAME field from my Firewall logs without success.
RULE_NAME is at the end of the log line, between (). It can contain any characters, space, "-" or "_".
My problem comes from the fact that the RULE_NAME is sometimes finished by a 3 characters string i need to remove : "-00"
Here is my actual REGEX, but it does't works for the simple "Internal Policy" RULE_NAME :
.*\s+\((?P<RULE_NAME>.*)?(-00)\)$
Here are original logs lines i need to match :
May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (DNS-01-proxy_user.out-00)
May 3 17:39:56 10.40.1.254 May 3 17:39:56 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow VLAN1-Lan-Trusted Firebox 69 udp 20 128 172.21.20.26 172.21.20.254 52481 53 msg="DNS Forwarding" src_user="yal@mycorp.lan" record_type="A" question="sync.srv.stackadapt.com" (Internal Policy)
May 3 16:35:02 10.40.1.254 May 3 16:35:02 MYFIREWALL.mycorp.lan firewall: msg_id="3000-0148" Allow 0-SSL-VPN Firebox 73 udp 20 128 172.XXX.XXX.14 172.XXX.XXX.1 54127 53 src_user="fgi@mycorp.com" (My super rule name with space DNS.out)
Any idea on how to ignore the "-00" suffix when present ?
thanks
Florent
speaking of which....in case there are some rogues parens in the message, maybe this is even a bit safer - instead of matching everything...
\((?<rule_name>[^\(]+?)(?:-00)?\)$
something like this maybe?
\((?<rule_name>.*?)(?:-00)?\)$
Thanks, it's perfect, seems so simple...when you master Regex ;-))