Splunk Search
Highlighted

How to configure proper line-breaking for logs from McAFee Database Monitoring?

Communicator

Have this problem with linebreaks in the logs from McAFee database mon tool. Tried a couple of configs on props.conf, but didn't help. Basically trying on a test machine and no new logs are coming in, so I am looking for a regex/sed for this, something like ignore every occurrence of \r\n pattern.
For example this is one the events:

\r\n\r\nDatabase is probably vulnerable to a GDI+ EMF Integer Overflow (CVE-blah ). Please check if Microsoft patch MS08-052 was applied properly. \r\nCVE: CVE-2008-3012

Any suggestions ?

0 Karma
Highlighted

Re: How to configure proper line-breaking for logs from McAFee Database Monitoring?

Esteemed Legend

If you can be much more detailed on a specific example of events in the log, we can probably help you.

0 Karma
Highlighted

Re: How to configure proper line-breaking for logs from McAFee Database Monitoring?

Communicator

I tried sed for ignoring the\r,\n characters but to no avail. I am trying to extract a field which describes the vulnerability. Here's one of the events.:

2015-10-05T08:49:10+00:00 testserver "MSVULN021","1444049349690","0","LOW","DB vulnerable against CVE-2009-2511","Vulnerabilities","testserer24\MSSQ","testserer24.example.com","MS2008TEST", "\r\n\r\nDatabase is probably vulnerable to a GDI+ PNG Heap Overflow (CVE-2009-2501). Please check if Microsoft patch MS08-062 was applied properly. \r\nCVE: CVE-2009-2501 "

This new field to be extracted, lets say "description", which I was able to extract using the regex. But, breaks I am trying to remove using sed doesnt seems to work.

0 Karma
Highlighted

Re: How to configure proper line-breaking for logs from McAFee Database Monitoring?

SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

View solution in original post

Highlighted

Re: How to configure proper line-breaking for logs from McAFee Database Monitoring?

Communicator

Thank you. Adding one more backslash did the trick.

rex field=myfield mode=sed "s/\\\r\\\n//g"
0 Karma