It is unclear if the regular expression works, or if the markup formatting ate parts of what is visible. Regardless, your transforms.conf stanza may not be complete.
Let us assume that you want to create a report for three basic fields: action , protocol and source ip . In this case we are making an assumption that the desired matches are as follows:
Nov 10 20:12:12 FWPFS001.localdomain Nov 11 15:12:12 filterlog: 84, 16777216, , 1000003811, igb0, match, pass ,out,4,0x0,,127,2445,0,none,17, udp ,1378, 192.168.0.100 , 216.58.199.46,28180,443,1358
In this case, the corresponding props.conf entry will be:
[syslog]
...
REPORT-pf2 = pf2
And, the transforms.conf entry is as follows:
[pf2]
REGEX = .+?(pass|block).+?(tcp|udp|igmp|icmp).+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = action::$1 protocol::$2 src::$3
That should do it. At this point, the data should be represented cleanly in user interface.
I hope this helps you,
-gc
... View more