Syslog data from my Fortinet firewall is not being parsed out correctly.   I have noticed that there are multiple formats of messages.    This first format parses out correctly.  ...   policyid=474 sessionid=3929476361 user= "FRED " group= " RegularSupport.Grp " srcip=10.120.2 .26 ...   These do not (specifically the user field is not populated) ....    policyid =441 sessionid=3929476369 user= "BARNEY " srcip=10.120.36.105   .... (missing group after user field) .....   policyid=471 sessionid=3929476336 user= "BETTY " group= " TL-AVP-SVP.Grp " srcip=10.120.2.128 .... (has "-" in the text for group) ....   policyid=103 sessionid=3929476142 user= "WILMA " group= " Wkstns_SSLVPN_PD.Grp " srcip=172.24.1.18    ...... (has "_" in the text for group). I tried to do a extract fields on one of the different events, that solved the issue for the new event but the original event no longer works.    I assume that there is a regex somewhere that parses this out but I cannot find it.  My question is where do I go find out where it is so I can hopefully generate one that works?   Scott     ... View more

I am receiving Syslog data from the firewall and I would like to send a subset of it to the nullQueue. The issue I am having is that I have two set values (action and srcip) but 6 values for the destination. The formats of the fields of the raw data are - action="deny" scrip=10.12.55.55 dstip=192.168.10.0 The regex I have come up with is: (?:srcip\=10\\.12\\.55\\.55)|(?:dstip\=192\\.168\\.10\\.*)|(?:dstip\=172\\.16\\.10\\.*)|(?:dstip\=172\\.18\\.10\\.*)|(?:action\=\"deny\") What happens is that the "|" acts as an "or" so I will be dumping too much information. My question is what is the format to place in transforms.conf to filter out the events to be dropped? Regards, Scott ... View more