I have some suricata stats logs which are in the following format:
------------------------------------------------------------------
Date: 9/26/2012 -- 16:57:53 (uptime: 0d, 00h 00m 24s)
------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------
tcp.sessions | Detect | 2932
tcp.blah | Whatever | 42
...
string.string | string | 0
------------------------------------------------------------------
I'm trying to :
extract four values: Counter,
Module(for TM Name), Value, and Date
have the Counter, TM Name, and Value
for each line within the event
associate only with what's on its
own line
except to take on the date value of the entire event
...but I'm not getting it done
My props.conf looks like:
[suricata_stats]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \-*\r\nDate
EXTRACT-counter = ^(?<counter>[a-z]+\.[a-z]+)\s+|
EXTRACT-module = ^[a-z]+\.[a-z]+\s+|\s+(?<module>[^ ])\s+|
EXTRACT-value = ^[a-z]+\.[a-z]+\s+|\s+[^ ])\s+|\s+(?P<value>.+)
I know the regex is .. messy, but the results I'm getting are not as intended.
With sample data containing what i intend to be 5 results, I get 6.
One event is :
--------------------------------------------------------------------------
The next five events begin with "Date" and display all of the subsequent lines.
My extractions are also wrong:
the only value for "Counter" is
"tcp.sessions" - no "tcp.blah", or
others.
the only value for "Module" is
"9" (from after "Date:")
i have five values for "Value",
but each value is a multi-line value
containing everything from
"9/26/2012" down to "string.string"
Where do we start?
... View more
