cancel
Showing results for 
Search instead for 
Did you mean: 
mrejay
Level 8
Report Inappropriate Content
Message 1 of 7

[ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Hi, community. Hoping someone could help shed some light into an issue I'm running into with Advanced Syslog Parser, which I'm fairly new to.

I created a custom rule for ADAudit Plus logs, which includes events that fall under several categories (e.g. LogonReports, UserMgtReports, etc.). Because of the fragmented nature of the information received, I opted to write individual regular expressions to capture the fields that are most important to us. Here's a redacted screenshot to help illustrate:

ASP Sample.png

I have a total of 17 individual Regular Experssions in the above rule that are meant to capture 18 separate fields. When I check the Sample Log Data section, all the fields I want are highlighted in blue as expected.

The problem I have is a few of the named captures are NOT showing up in the Key-Value table on the right, specifically those AFTER the 14th Regular Expression on the above list.

Does this mean that there is a limit to the number of Named Captures you can retrieve in a single rule? Would it be better to define individual ASP rules for each of the possible categories in the syslog (have not tried going this route admittedly as I was hoping to get everything done with a single rule)?

Cheers and looking forward to your replies.

Labels (1)
Tags (2)
6 Replies

Re: [ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Hi,

1- Why did you write the REGEX syntax in multiple lines?

   the row log in the packet is in separate lines?

2- pleas share the syntax of the regex lines that are not triggering, mabey they are not correct

 

Best regards

David.

mrejay
Level 8
Report Inappropriate Content
Message 3 of 7

Re: [ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Hi, David.

1. There's only a single line per packet, but since it falls under a different category (i.e. with a different field composition each time), I assumed I'd need to write multiple RegEx lines to capture all the possible combinations. Is this approach wrong? Is it better to write individual Custom Parsers for EACH category instead (consequently limiting the RegEx functions to a single line only)?

2.  Here are the ones not triggering (the last 3 in the order of the multiple RegEx lines in my Custom Parser):

\[\sACCOUNT_NAME\s\=\s(?P<account_name>.*?)\s\]

\[\sACCOUNT_DOMAIN\s\=\s(?P<account_domain>.*?)\s\]

\[\sALERT_PROFILE\s\=\s(?P<alert_profile>.*?)\s\]

Thank you!

Re: [ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Hi 

Could you share a packet \ row log for example and testing ?!

(just change details of addresses and hosts..)

 

Thank you

mrejay
Level 8
Report Inappropriate Content
Message 5 of 7

Re: [ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Here are several sample lines from the log:

<110>1 2018-10-08T16:03:51.000+13:00 SVR-NAME ADAuditPlus - - -  [ Category = LogonReports ]  [ REPORT_PROFILE = All Users Logon ]  [ USERNAME = JONDOE ]  [ CLIENT_IP_ADDRESS = 10.20.30.40 ]  [ CLIENT_HOST_NAME = 10.20.30.40 ]  [ TIME_GENERATED = 1538967831 ]  [ RECORD_NUMBER = 1234567890 ]  [ EVENT_TYPE = 8 ]  [ EVENT_TYPE_TEXT = Success ]  [ DOMAIN = DOMAIN.COM ]  [ SOURCE = SRC-SVR-NAME01 ]  [ LOGON_SERVICE = krbtgt ]  [ USER_SID = %{S-1-x-xx-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx} ]  [ ERROR_CODE = 0x0 ]  [ ERROR_CODE_TEXT = - ]  [ EVENT_NUMBER = 4768 ]  [ REMARKS = A Kerberos authentication ticket (TGT) was requested. ]  [ PRE_AUTHENTICATION_TYPE = 2 ]  [ TRANSITED_SERVICES = null ]  [ TICKET_OPTIONS = 0x00000000 ]  [ TICKET_ENCRYPTION_TYPE = 0x12 ]  [ CLIENT_PORT = 00000 ]  [ CERTIFICATE_THUMBPRINT = null ]  [ CERTIFICATE_SERIAL_NUMBER = null ]  [ CERTIFICATE_ISSUER_NAME = null ]  [ USER_SAM_ACCOUNT_NAME = null ]  [ USER_DISPLAY_NAME = null ]  [ USER_PRINCIPAL_NAME = null ]  [ USER_GUID = null ]  [ USER_DISTINGUISH_NAME = null ]  [ USER_OU_GUID = null ]  [ USER_DEPARTMENT = null ]  [ USER_MANAGER_NAME = null ]  [ CLIENT_HOST_DOMAIN_NAME = null ]  [ SOURCE_NAME = null ]  [ LOG_FILE_NAME = null ]  [ KEYWORDS_NAME = null ]  [ TASK_CATEGORY_NAME = null ]  [ TASK_CATEGORY_ID = null ]  [ EXTRA_COLUMN1 = null ]  [ EXTRA_COLUMN2 = null ]  [ EXTRA_COLUMN3 = null ]  [ EXTRA_COLUMN4 = null ]  [ EXTRA_COLUMN5 = null ]  [ EXTRA_COLUMN6 = null ]  [ EXTRA_COLUMN7 = null ]  [ EXTRA_COLUMN8 = null ]  [ EXTRA_COLUMN9 = null ]  [ EXTRA_COLUMN10 = null ]  [ CONFIGURED_DOMAIN_NAME = null ]
<110>1 2018-10-10T16:18:30.000+13:00 SVR-NAME ADAuditPlus - - -  [ Category = ComputerMgmtReports ]  [ REPORT_PROFILE = Computer Attributes Changed ]  [ COMP_MGMT_TYPE = servicePrincipalName ]  [ TIME_GENERATED = 1539141510 ]  [ FORMAT_MESSAGE = Computer 'COMPUTERNAME' was modified by  'DOMAIN\COMPUTERNAME$'Modified Properties : servicePrincipalName, Values : TERMSRV/COMPUTERNAME.clients.domain.com ]  [ ACCOUNT_NAME = COMPUTERNAME ]  [ ACCOUNT_DOMAIN = domain.com ]  [ ACCOUNT_SID = %{S-1-x-xx-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx} ]  [ CALLER_USER_NAME = COMPUTERNAME$ ]  [ CALLER_USER_DOMAIN = DOMAIN ]  [ CALLER_LOGON_ID = 0x00000000 ]  [ SOURCE = SRC-SVR-NAME01 ]  [ EVENT_NUMBER = 5136 ]  [ REMARKS = Computer Attribute Added ]  [ RECORD_NUMBER = 1234567890 ]  [ CALLER_USER_SID = S-1-x-xx-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx ]  [ ATTRIBUTES_TEXT = Service-Principal-Name ]  [ ATTRIBUTES_NEW_VALUE = TERMSRV/COMPUTERNAME.clients.domain.com ]  [ ATTRIBUTES_OLD_VALUE = null ]  [ CORRELATION_ID = {ABCD12E3-F456-78A9-BC01-D2E34F5A6789} ]  [ ATTRIBUTE_CATEGORY_ID = 0 ]  [ ACCOUNT_SAM_ACCOUNT_NAME = null ]  [ ACCOUNT_DISPLAY_NAME = null ]  [ ACCOUNT_USER_PRINCIPAL_NAME = null ]  [ ACCOUNT_USER_GUID = null ]  [ ACCOUNT_DISTINGUISH_NAME = null ]  [ ACCOUNT_NAME_OU_GUID = null ]  [ ACCOUNT_USER_DEPARTMENT = null ]  [ ACCOUNT_USER_MANAGER_NAME = null ]  [ CALLER_SAM_ACCOUNT_NAME = null ]  [ CALLER_DISPLAY_NAME = null ]  [ CALLER_USER_PRINCIPAL_NAME = null ]  [ CALLER_USER_GUID = null ]  [ CALLER_DISTINGUISH_NAME = null ]  [ CALLER_USER_OU_GUID = null ]  [ CALLER_USER_DEPARTMENT = null ]  [ CALLER_USER_MANAGER_NAME = null ]  [ ATTRIBUTE_SYNTAX = null ]  [ OP_APPLN_CORRELATION_ID = null ]  [ OP_CORRELATION_ID = null ]  [ OP_TREE_DELETE = null ]  [ SOURCE_NAME = null ]  [ LOG_FILE_NAME = null ]  [ KEYWORDS_NAME = null ]  [ TASK_CATEGORY_NAME = null ]  [ TASK_CATEGORY_ID = null ]  [ EXTRA_COLUMN1 = null ]  [ EXTRA_COLUMN2 = null ]  [ EXTRA_COLUMN3 = null ]  [ EXTRA_COLUMN4 = null ]  [ EXTRA_COLUMN5 = null ]  [ EXTRA_COLUMN6 = null ]  [ EXTRA_COLUMN7 = null ]  [ EXTRA_COLUMN8 = null ]  [ EXTRA_COLUMN9 = null ]  [ EXTRA_COLUMN10 = null ]  [ UAC_VALUE = null ]  [ CONFIGURED_DOMAIN_NAME = null ]  [ ACTUAL_ATTR_NEW_VALUE = null ]  [ ACTUAL_ATTR_OLD_VALUE = null ]
<110>1 2018-10-10T09:34:45.000+13:00 SVR-NAME ADAuditPlus - - -  [ Category = ADAPAlerts ]  [ UNIQUE_ID = 123456 ]  [ ALERT_PROFILE = First Time -Host accessed by User ]  [ REPORT_PROFILE = AD Analytics ]  [ SEVERITY = 2 ]  [ TIME_GENERATED = 1539117285 ]  [ FORMAT_MESSAGE = host:computername.domain.com was accessed by user:JONDOE for the first time. Anomaly category:First Time -Host accessed by User  ]  [ SOURCE = User Behaviour Analytics ]  [ DOMAIN = domain.com ]
<110>1 2018-10-10T09:35:43.000+13:00 SVR-NAME ADAuditPlus - - -  [ Category = UserMgmtReports ]  [ REPORT_PROFILE = User Attributes Changed ]  [ USER_MGMT_TYPE = ms-Exch-Mailbox-Audit-Last-Delegate-Access ]  [ TIME_GENERATED = 1539117343 ]  [ FORMAT_MESSAGE = User 'travelgroup' was modified by  'HNZ\SVR-NAME01$'Modified Properties : msExchMailboxAuditLastDelegateAccess, Values : 20181009203537.0Z ]  [ ACCOUNT_NAME = travelgroup ]  [ ACCOUNT_DOMAIN = domain.com ]  [ ACCOUNT_SID = %{S-1-x-xx-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx} ]  [ CALLER_USER_NAME = SVR-NAME01$ ]  [ CALLER_USER_DOMAIN = DOMAIN ]  [ CALLER_LOGON_ID = 0x00000000 ]  [ SOURCE = SRC-SVR-NAME02.domain.com ]  [ EVENT_NUMBER = 5136 ]  [ REMARKS = User Modified ]  [ EVENT_TYPE = 8 ]  [ EVENT_TYPE_TEXT = Success ]  [ CALLER_MACHINE_NAME = null ]  [ RECORD_NUMBER = 1234567890 ]  [ CALLER_USER_SID = S-1-x-xx-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx ]  [ ATTRIBUTES_TEXT = ms-Exch-Mailbox-Audit-Last-Delegate-Access ]  [ ATTRIBUTES_NEW_VALUE = 20181009203537.0Z ]  [ ATTRIBUTES_OLD_VALUE = 20181008040007.0Z ]  [ OPERATION_TYPE = Value Added ]  [ CORRELATION_ID = {ABCD12E3-F456-78A9-BC01-D2E34F5A6789} ]  [ ATTRIBUTE_CATEGORY_ID = 1 ]  [ ACCOUNT_SAM_ACCOUNT_NAME = null ]  [ ACCOUNT_DISPLAY_NAME = null ]  [ ACCOUNT_USER_PRINCIPAL_NAME = null ]  [ ACCOUNT_USER_GUID = null ]  [ ACCOUNT_DISTINGUISH_NAME = null ]  [ ACCOUNT_NAME_OU_GUID = null ]  [ ACCOUNT_USER_DEPARTMENT = null ]  [ ACCOUNT_USER_MANAGER_NAME = null ]  [ CALLER_SAM_ACCOUNT_NAME = null ]  [ CALLER_DISPLAY_NAME = null ]  [ CALLER_USER_PRINCIPAL_NAME = null ]  [ CALLER_USER_GUID = null ]  [ CALLER_DISTINGUISH_NAME = null ]  [ CALLER_USER_OU_GUID = null ]  [ CALLER_USER_DEPARTMENT = null ]  [ CALLER_USER_MANAGER_NAME = null ]  [ PROCESS_ID = null ]  [ PROCESS_NAME = null ]  [ ATTRIBUTE_SYNTAX = null ]  [ OP_APPLN_CORRELATION_ID = null ]  [ OP_CORRELATION_ID = null ]  [ OP_TREE_DELETE = null ]  [ SOURCE_NAME = null ]  [ LOG_FILE_NAME = null ]  [ KEYWORDS_NAME = null ]  [ TASK_CATEGORY_NAME = null ]  [ TASK_CATEGORY_ID = null ]  [ EXTRA_COLUMN1 = null ]  [ EXTRA_COLUMN2 = null ]  [ EXTRA_COLUMN3 = null ]  [ EXTRA_COLUMN4 = null ]  [ EXTRA_COLUMN5 = null ]  [ EXTRA_COLUMN6 = null ]  [ EXTRA_COLUMN7 = null ]  [ EXTRA_COLUMN8 = null ]  [ EXTRA_COLUMN9 = null ]  [ EXTRA_COLUMN10 = null ]  [ UAC_VALUE = null ]  [ CONFIGURED_DOMAIN_NAME = null ]  [ ACTUAL_ATTR_NEW_VALUE = null ]  [ ACTUAL_ATTR_OLD_VALUE = null ]

Re: [ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Hi,

i'm Attaching the REGEX for the first log in the list you sent
now it's going to work.

enjoy Smiley Happy

REGEX (it's in a one line format) :

\x3c\d+\x3e\d+\s+(?<Log_date>[^T]+)T(?<Log_time>[^\s]+)\s+.*Category\s\x3d\s(?<Category>[^\x5d]+)\x5d\s+\x5b\s+REPORT_PROFILE\s+\x3d\s+(?<REPORT_PROFILE>[^\x5d]+)\x5d\s+\x5b\s+USERNAME\s+\x3d\s+(?<USERNAME>[^\x5d]+)\x5d\s+\x5b\s+CLIENT_IP_ADDRESS\s+\x3d\s+(?<CLIENT_IP_ADDRESS>[^\x5d]+)\x5d\s+\x5b\s+CLIENT_HOST_NAME\s+\x3d\s+(?<CLIENT_HOST_NAME>[^\x5d]+)\x5d\s+\x5b\s+TIME_GENERATED\s+\x3d\s+(?<TIME_GENERATED>[^\x5d]+)\x5d\s+\x5b\s+RECORD_NUMBER\s+\x3d\s+(?<RECORD_NUMBER>[^\x5d]+)\x5d\s+\x5b\s+EVENT_TYPE\s+\x3d\s+(?<EVENT_TYPE>[^\x5d]+)\x5d\s+\x5b\s+EVENT_TYPE_TEXT\s+\x3d\s+(?<EVENT_TYPE_TEXT>[^\x5d]+)\x5d\s+\x5b\s+DOMAIN\s+\x3d\s+(?<DOMAINE>[^\x5d]+)\x5d\s+\x5b\s+SOURCE\s+\x3d\s+(?<SOURCE>[^\x5d]+)\x5d\s+\x5b\s+LOGON_SERVICE\s+\x3d\s+(?<LOGON_SERVICE>[^\x5d]+)\x5d\s+\x5b\s+USER_SID\s+\x3d\s+(?<USER_SID>[^\x5d]+)\x5d\s+\x5b\s+ERROR_CODE\s+\x3d\s+(?<ERROR_CODE>[^\x5d]+)\x5d\s+\x5b\s+ERROR_CODE_TEXT\s+\x3d\s+(?<ERROR_CODE_TEXT>[^\x5d]+)\x5d\s+\x5b\s+EVENT_NUMBER\s+\x3d\s+(?<EVENT_NUMBER>[^\x5d]+)\x5d\s+\x5b\s+REMARKS\s+\x3d\s+(?<REMARKS>[^\x5d]+)\x5d\s+\x5b\s+PRE_AUTHENTICATION_TYPE\s+\x3d\s+(?<AUTHENTICATION_TYPE>[^\x5d]+)\x5d\s+\x5b\s+TRANSITED_SERVICES\s+\x3d\s+(?<TRASITED_SERVICES>[^\x5d]+)\x5d\s+\x5b\s+TICKET_OPTIONS\s+\x3d\s+(?<TICKET_OPTIONS>[^\x5d]+)\x5d\s+\x5b\s+TICKET_ENCRYPTION_TYPE\s+\x3d\s+(?<TICKET_ENCRYPTION_TYPE>[^\x5d]+)\x5d\s+\x5b\s+CLIENT_PORT\s+\x3d\s+(?<CLIENT_PORT>[^\x5d]+)\x5d\s+\x5b\s+CERTIFICATE_THUMBPRINT\s+\x3d\s+(?<CERTIFICATE_THUMBPRINT>[^\x5d]+)\x5d\s+\x5b\s+CERTIFICATE_SERIAL_NUMBER\s+\x3d\s+(?<CERTIFICATE_SERIAL_NUMBER>[^\x5d]+)\x5d\s+\x5b\s+CERTIFICATE_ISSUER_NAME\s+\x3d\s+(?<CERTIFICATE_ISSUER_NAME>[^\x5d]+)\x5d\s+\x5b\s+USER_SAM_ACCOUNT_NAME\s+\x3d\s+(?<USER_SAM_ACCOUNT_NAME>[^\x5d]+)\x5d\s+\x5b\s+USER_DISPLAY_NAME\s+\x3d\s+(?<USER_DISPLAY_NAME>[^\x5d]+)\x5d\s+\x5b\s+USER_PRINCIPAL_NAME\s+\x3d\s+(?<USER_PRINCIPAL_NAME>[^\x5d]+)\x5d\s+\x5b\s+USER_GUID\s+\x3d\s+(?<USER_GUID>[^\x5d]+)\x5d\s+\x5b\s+USER_DISTINGUISH_NAME\s+\x3d\s+(?<USER_DISTINGUISH_NAME>[^\x5d]+)\x5d\s+\x5b\s+USER_OU_GUID\s+\x3d\s+(?<USER_OU_GUID>[^\x5d]+)\x5d\s+\x5b\s+USER_DEPARTMENT\s+\x3d\s+(?<USER_DEPARTMENT>[^\x5d]+)\x5d\s+\x5b\s+USER_MANAGER_NAME\s+\x3d\s+(?<USER_MANAGER_NAME>[^\x5d]+)\x5d\s+\x5b\s+CLIENT_HOST_DOMAIN_NAME\s+\x3d\s+(?<CLIENT_HOST_DOMAIN_NAME>[^\x5d]+)\x5d\s+\x5b\s+SOURCE_NAME\s+\x3d\s+(?<SOURCE_NAME>[^\x5d]+)\x5d\s+\x5b\s+LOG_FILE_NAME\s+\x3d\s+(?<LOG_FILE_NAME>[^\x5d]+)\x5d\s+\x5b\s+KEYWORDS_NAME\s+\x3d\s+(?<KEYWORDS_NAME>[^\x5d]+)\x5d\s+\x5b\s+TASK_CATEGORY_NAME\s+\x3d\s+(?<TASK_CATEGORY_NAME>[^\x5d]+)\x5d\s+\x5b\s+TASK_CATEGORY_ID\s+\x3d\s+(?<TASK_CATEGORY_ID>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN1\s+\x3d\s+(?<EXTRA_COLUMN1>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN2\s+\x3d\s+(?<EXTRA_COLUMN2>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN3\s+\x3d\s+(?<EXTRA_COLUMN3>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN4\s+\x3d\s+(?<EXTRA_COLUMN4>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN5\s+\x3d\s+(?<EXTRA_COLUMN5>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN6\s+\x3d\s+(?<EXTRA_COLUMN6>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN7\s+\x3d\s+(?<EXTRA_COLUMN7>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN8\s+\x3d\s+(?<EXTRA_COLUMN8>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN9\s+\x3d\s+(?<EXTRA_COLUMN9>[^\x5d]+)\x5d\s+\x5b\s+EXTRA_COLUMN10\s+\x3d\s+(?<EXTRA_COLUMN10>[^\x5d]+)\x5d\s+\x5b\s+CONFIGURED_DOMAIN_NAME\s+\x3d\s+(?<CONFIGURATION_DOMAIN_NAME>[^\x5d]+)\x5d

 

the log text that was used :

<110>1 2018-10-08T16:03:51.000+13:00 SVR-NAME ADAuditPlus - - -  [ Category = LogonReports ]  [ REPORT_PROFILE = All Users Logon ]  [ USERNAME = JONDOE ]  [ CLIENT_IP_ADDRESS = 10.20.30.40 ]  [ CLIENT_HOST_NAME = 10.20.30.40 ]  [ TIME_GENERATED = 1538967831 ]  [ RECORD_NUMBER = 1234567890 ]  [ EVENT_TYPE = 8 ]  [ EVENT_TYPE_TEXT = Success ]  [ DOMAIN = DOMAIN.COM ]  [ SOURCE = SRC-SVR-NAME01 ]  [ LOGON_SERVICE = krbtgt ]  [ USER_SID = %{S-1-x-xx-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxx} ]  [ ERROR_CODE = 0x0 ]  [ ERROR_CODE_TEXT = - ]  [ EVENT_NUMBER = 4768 ]  [ REMARKS = A Kerberos authentication ticket (TGT) was requested. ]  [ PRE_AUTHENTICATION_TYPE = 2 ]  [ TRANSITED_SERVICES = null ]  [ TICKET_OPTIONS = 0x00000000 ]  [ TICKET_ENCRYPTION_TYPE = 0x12 ]  [ CLIENT_PORT = 00000 ]  [ CERTIFICATE_THUMBPRINT = null ]  [ CERTIFICATE_SERIAL_NUMBER = null ]  [ CERTIFICATE_ISSUER_NAME = null ]  [ USER_SAM_ACCOUNT_NAME = null ]  [ USER_DISPLAY_NAME = null ]  [ USER_PRINCIPAL_NAME = null ]  [ USER_GUID = null ]  [ USER_DISTINGUISH_NAME = null ]  [ USER_OU_GUID = null ]  [ USER_DEPARTMENT = null ]  [ USER_MANAGER_NAME = null ]  [ CLIENT_HOST_DOMAIN_NAME = null ]  [ SOURCE_NAME = null ]  [ LOG_FILE_NAME = null ]  [ KEYWORDS_NAME = null ]  [ TASK_CATEGORY_NAME = null ]  [ TASK_CATEGORY_ID = null ]  [ EXTRA_COLUMN1 = null ]  [ EXTRA_COLUMN2 = null ]  [ EXTRA_COLUMN3 = null ]  [ EXTRA_COLUMN4 = null ]  [ EXTRA_COLUMN5 = null ]  [ EXTRA_COLUMN6 = null ]  [ EXTRA_COLUMN7 = null ]  [ EXTRA_COLUMN8 = null ]  [ EXTRA_COLUMN9 = null ]  [ EXTRA_COLUMN10 = null ]  [ CONFIGURED_DOMAIN_NAME = null ]

 

and ehre is a picture of the test in the Mcafee ESM:REGEX.PNG

 

 

Re: [ESM 10.3.1] Some RegEx Named Captures not showing up in Key-Value Table

Hi 
Did the abuve help ?