I am trying to extract the IP address from the field below, I can extract the first but am not sure how to extract the second. Field is as follows:
May 28 08:22:24 10.10.1.254 17361045: May 28 12:22:23.832: %FW-6-DROP_PKT: Dropping udp session 39.118.56.69:47069 10.10.1.179:43611 on zone-pair CSM_Outside-Inside_1 class class-default due to DROP action found in policy-map with ip ident 0
I use:
host=10.10.1.254 facility=FW mnemonic=DROP_PKT | rex field=_raw "session (?
to extract the first IP (39.118.56.69) but am not sure how to extract the second (10.10.1.179), I would also like to extract the port numbers if possible.
Any help would be appreciated.
Assuming the first and second IP addresses are always separated by white space, this should work for you.
rex field=_raw "session (?<source_ip>[^:]*):((?<source_port>\d+)\s(?<second_ip>[^:]*):(?<second_port>\d+)"
This should work for you:
rex field=_raw "session (?<source_ip>[^:]*?):([^\s]*?)\s(?<second_ip>[^:]*?):"
If you want to capture the ports as well. You can try this:
rex field=_raw "session (?<source_ip>[^:]*?):(?<source_port>[^\s]*?)\s(?<second_ip>[^:]*?):(?<second_port>[^\s]*?)\s"
Hope this helps.
Try this
rex field=_raw "(?<IP_Address>\d+\.\d+\.\d+\.\d+)\:"
Assuming the first and second IP addresses are always separated by white space, this should work for you.
rex field=_raw "session (?<source_ip>[^:]*):((?<source_port>\d+)\s(?<second_ip>[^:]*):(?<second_port>\d+)"