Splunk Search

How to configure proper line-breaking for logs from McAFee Database Monitoring?

Communicator

Have this problem with linebreaks in the logs from McAFee database mon tool. Tried a couple of configs on props.conf, but didn't help. Basically trying on a test machine and no new logs are coming in, so I am looking for a regex/sed for this, something like ignore every occurrence of \r\n pattern.
For example this is one the events:

\r\n\r\nDatabase is probably vulnerable to a GDI+ EMF Integer Overflow (CVE-blah ). Please check if Microsoft patch MS08-052 was applied properly. \r\nCVE: CVE-2008-3012

Any suggestions ?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

View solution in original post

SplunkTrust
SplunkTrust

To match \r or \n you need to escape the backslash. So, something like

SEDCMD-rem-backslashrn = s/\\r\\n//g

Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees \r\n. The final g says to do it globally, or in other words replace all the times in that field it sees that string.

You can test by creating a search and doing a

... | rex field=myfield mode=sed "s/\\r\\n//g"

And fiddle with that until you get it right. The put that in your sedcmd.

View solution in original post

Communicator

Thank you. Adding one more backslash did the trick.

rex field=myfield mode=sed "s/\\\r\\\n//g"
0 Karma

Esteemed Legend

If you can be much more detailed on a specific example of events in the log, we can probably help you.

0 Karma

Communicator

I tried sed for ignoring the\r,\n characters but to no avail. I am trying to extract a field which describes the vulnerability. Here's one of the events.:

2015-10-05T08:49:10+00:00 testserver "MSVULN021","1444049349690","0","LOW","DB vulnerable against CVE-2009-2511","Vulnerabilities","testserer24\MSSQ","testserer24.example.com","MS2008TEST", "\r\n\r\nDatabase is probably vulnerable to a GDI+ PNG Heap Overflow (CVE-2009-2501). Please check if Microsoft patch MS08-062 was applied properly. \r\nCVE: CVE-2009-2501 "

This new field to be extracted, lets say "description", which I was able to extract using the regex. But, breaks I am trying to remove using sed doesnt seems to work.

0 Karma