cancel
Showing results for 
Search instead for 
Did you mean: 

Parser creation

Jump to solution

Hi , in my environment we have large variety of data source many of which are customized and required creation of parser as they are not out of the box supported. While creating the parser i m stuck at matching a random sentence , if any one has also faced this kind of issue please share any resolution for the same.

Secondly what kind of parser technology is used in SIEM , is it java based perl based or something else ??

1 Solution

Accepted Solutions

Re: Parser creation

Jump to solution

Greetings!

If you're able to modify the outbound message from your data source you might look at putting a delimiter around the random sentence, this could be quotation marks or any other character that does not show up within the data that you're trying to match.  After that is completed simply modify your regex to match your delimiter followed by NOT your delimiter followed by your delimiter.  For example, if you do decide to use quotation marks your regex would look like this "([^"]+)"  or if you want the hex equivalent \x22([^\x22]+)\x22

Short of that I think I would need more information about what your messages look like in order to assist further.  So far as I can tell ASP uses a perl engine, but that's a better question for the McAfee ESM developers!

Hope that's helpful.

Best Regards,

Rorik

5 Replies

Re: Parser creation

Jump to solution

Greetings!

If you're able to modify the outbound message from your data source you might look at putting a delimiter around the random sentence, this could be quotation marks or any other character that does not show up within the data that you're trying to match.  After that is completed simply modify your regex to match your delimiter followed by NOT your delimiter followed by your delimiter.  For example, if you do decide to use quotation marks your regex would look like this "([^"]+)"  or if you want the hex equivalent \x22([^\x22]+)\x22

Short of that I think I would need more information about what your messages look like in order to assist further.  So far as I can tell ASP uses a perl engine, but that's a better question for the McAfee ESM developers!

Hope that's helpful.

Best Regards,

Rorik

Re: Parser creation

Jump to solution

You need to use PCRE that is perl based regexes for the parsing.

By the way, could you tell where are you testing your regular expressions before you can deploy those as parsers?

Re: Parser creation

Jump to solution

Hi itzamlan , i am testing the parser on www.RegExr.com. 

Re: Parser creation

Jump to solution

Hi Rorik, i have tried you suggestion and it seems to work in the expected manner. Let me match it with my other logs also.

thanks a ton

Ravi

Re: Parser creation

Jump to solution

Not a problem Ravi!

I enjoy www.RegExr.com but have also found www.Regex101.com to be very helpful as well.

Best Regards,

Rorik