Hi secfrit,
I looked at the second part of your request and did indeed find an issue in the way src_ip was being extracted for some log lines. I reworked your suggestion into something i believe covers all logging scenarios.
[src_dest_fields_for_cisco_esa]
REGEX = (?:DCID|ICID)\s+\d+\s+interface(?:[\S\s]* [\(]?)(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).*\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(?:\s+port\s+(\d+))?
FORMAT = src_ip::$1 dest_ip::$2 dest_port::$3
Happy to hear some feedback if this doesn't rectify your field extraction scenario.
Thank You Kindly
Don
... View more