cancel
Showing results for 
Search instead for 
Did you mean: 

ESM ASP help

I have a log that when injested turns a multi line file into a single line with multiple logs. I have a parser that if all the logs were on separate lines it would work fine, however since it is a single line that is just wrapping text it stops after the first complete match. I have tested my regex in regex101.com and it works great, but in the ESM it stops after the bold portion. Does anyone have any idea what could fix this?

Log

--------

############################################# # FTP access: # ############################################# DATE TIME HOST CLIENT IP ADDRESS Jan 29 06:04:31 somehost 10.30.142.80 Jan 29 06:09:31 somehost 10.30.142.80

Regex

----------

\s*(?P<Date>[A-Za-z]{3}\s[0-9]{2}\s[0-9]{2}:[0-9]{2}:[0-9]{2})\s(?P<Host>[A-Za-z\-]*)\s(?P<SourceIP>[\d]{1,3}\x2e[\d]{1,3}\x2e[\d]{1,3}\x2e[\d]{1,3})

 

3 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: ESM ASP help

How are you getting this log to the receiver? Are you polling for it or sending it via syslog or some other mechanism?

Brent

Re: ESM ASP help

It is coming in as a flat file from a custom application that runs on a solaris box. It is dropped into a folder than picked up from that receiver. I think I may have figured it out by telling the datasource to utilize \r?\n as line breaks but we will see once another upload comes in.

Highlighted
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: ESM ASP help

Yeah, that can be the issue. Or the encoding is set incorrectly.

A useful *nix command is file. You can run it on an arbitrary file and get some basic inforamtion around it's contents. For example;

$ file data.json
data.json: ASCII text, with very long lines, with no line terminators

Then ensure the encoding in the datasource is set correctly. UTF-8 is bacwards compatible to ASCII so I recommend just setting ASCII encoding to UTF-8.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community