This is the raw event:
2015-04-21T12:55:25+01:00 <hostname> ASM: unit_hostname="<hostname>",management_ip_address="<IP>",http_class_name="/Common/pl_sports_com_L1_prod",web_application_name="/Common/pl_sports_com_L1_prod",policy_name="/Common/pl_sports_com_L1_prod",policy_apply_date="2015-04-20 22:59:53",violations="Web scraping detected",support_id="16995741371944062892",request_status="blocked",response_code="0",ip_client="185.17.184.228",route_domain="0",method="GET",protocol="HTTPS",query_string="action=event&ev_id=7447953&version=1",x_forwarded_for_header_value="N/A",sig_ids="",sig_names="",date_time="2015-04-21 12:55:25",severity="Error",attack_type="Web Scraping",geo_location="NL",ip_address_intelligence="N/A",username="N/A",session_id="a27f9feb0b622a04",src_port="40567",dest_port="443",dest_ip="<IP>",sub_violations="",virus_name="N/A",uri="/bir_xml",request="GET /bir_xml?action=event&ev_id=7447953&version=1 HTTP/1.1\r\nHost: <URL>\r\nCookie: TS0158e29b=0148840b44c2771c7edfa9b3305f349c56fc28fecb0c11fc5c4b963f7e860ace7b26c42578; TS0197b840=0148840b4416795c008c4e4b7adc1e097f180a2c1e661ae566acbeafbd41be90e94db247b64d197bb6324d0ffd8ba54611a9e1ce03; sitePreference=DESKTOP\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n"#015
This is how I thought the LINE_BREAKER would have changed it:
2015-04-21T12:55:25+01:00 <hostname> ASM: unit_hostname="<hostname>",management_ip_address="<IP>",http_class_name="/Common/pl_sports_com_L1_prod",web_application_name="/Common/pl_sports_com_L1_prod",policy_name="/Common/pl_sports_com_L1_prod",policy_apply_date="2015-04-20 22:59:53",violations="Web scraping detected",support_id="16995741371944062892",request_status="blocked",response_code="0",ip_client="185.17.184.228",route_domain="0",method="GET",protocol="HTTPS",query_string="action=event&ev_id=7447953&version=1",x_forwarded_for_header_value="N/A",sig_ids="",sig_names="",date_time="2015-04-21 12:55:25",severity="Error",attack_type="Web Scraping",geo_location="NL",ip_address_intelligence="N/A",username="N/A",session_id="a27f9feb0b622a04",src_port="40567",dest_port="443",dest_ip="<IP>",sub_violations="",virus_name="N/A",uri="/bir_xml",request="GET /bir_xml?action=event&ev_id=7447953&version=1 HTTP/1.1\r\n
Host: <URL>\r\n
Cookie: TS0158e29b=0148840b44c2771c7edfa9b3305f349c56fc28fecb0c11fc5c4b963f7e860ace7b26c42578; TS0197b840=0148840b4416795c008c4e4b7adc1e097f180a2c1e661ae566acbeafbd41be90e94db247b64d197bb6324d0ffd8ba54611a9e1ce03; sitePreference=DESKTOP\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-us,en;q=0.5\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0\r\n
Accept-Encoding: gzip, deflate\r\n\r\n"#015
But I'm starting to lean towards using transforms to replace the \r\n so that the whole event is standardised?
... View more