Have this problem with linebreaks in the logs from McAFee database mon tool. Tried a couple of configs on props.conf, but didn't help. Basically trying on a test machine and no new logs are coming in, so I am looking for a regex/sed for this, something like ignore every occurrence of
For example this is one the events:
\r\n\r\nDatabase is probably vulnerable to a GDI+ EMF Integer Overflow (CVE-blah ). Please check if Microsoft patch MS08-052 was applied properly. \r\nCVE: CVE-2008-3012
Any suggestions ?
If you can be much more detailed on a specific example of events in the log, we can probably help you.
I tried sed for ignoring the
\r,\n characters but to no avail. I am trying to extract a field which describes the vulnerability. Here's one of the events.:
2015-10-05T08:49:10+00:00 testserver "MSVULN021","1444049349690","0","LOW","DB vulnerable against CVE-2009-2511","Vulnerabilities","testserer24\MSSQ","testserer24.example.com","MS2008TEST", "\r\n\r\nDatabase is probably vulnerable to a GDI+ PNG Heap Overflow (CVE-2009-2501). Please check if Microsoft patch MS08-062 was applied properly. \r\nCVE: CVE-2009-2501 "
This new field to be extracted, lets say "description", which I was able to extract using the regex. But, breaks I am trying to remove using sed doesnt seems to work.
\n you need to escape the backslash. So, something like
SEDCMD-rem-backslashrn = s/\\r\\n//g
Should substitute nothing (e.g. the empty between the last two // characters) for any time it sees
\r\n. The final
g says to do it globally, or in other words replace all the times in that field it sees that string.
You can test by creating a search and doing a
... | rex field=myfield mode=sed "s/\\r\\n//g"
And fiddle with that until you get it right. The put that in your sedcmd.
Thank you. Adding one more backslash did the trick.
rex field=myfield mode=sed "s/\\\r\\\n//g"