I'm trying to write a custom parser for a small application that we use called Robo-FTP. The log files are a bit difficult for me to nail down and get parsed.
A sample log entry looks like this;
Fri Oct 05 08:35:26 => *Sending file "\\Aps_image_1\CG\CSS\PROD\FTP\STATUSES\FLIGHTDECK\CUSTNAME\TRANSMIT\10050833.850.pgp"
Fri Oct 05 08:35:27 => *Complete, transmitted 1277 bytes in 1 second (1.25K cps)
Fri Oct 05 08:35:27 => *Upload complete, 1 file sent.
I'm trying out my regex in the new syslog parser screen and i'm running in to issues. A single line of regex which captures all of my required groups in RegEx101.com completely fails in the SIEM. So I broke it up in to separate lines of Regex for each line of the log that I want to look at and it captures the correct groups in the sample log field, but it only maps out the keys and values of the first line, even though the groups are highlighted in the second line.
The sad thing is, I used to support this product for almost two years ago working directly with McAfee and I never saw this happen with any of the customers I worked with.
Anyone seen this before and know how to get around it? I've already tried using \R in the Regex to denote the carriage return and see if that will get me the all the capture groups, but it looks like the SIEM doesn't utilize \R
Any help would be GREATLY appreciated! Thanks!
This is the RegEx broken up in to seperate lines;
And this is it as one contiguous line of RegEx
I've also tried swapping out the \R's for \s's and that parses in RegEx101 as well, but also fails completely in the SIEM. So far, the closest i've gotten is running the multiple lines of RegEx, which acts as you see in my screenshot above.
(Note, I did made a small change to add another capture group for the speed of the file transfer as we want to know that as well. )
it seems that the regex is not 100% Dynamic...
Please Share a example of the row log (packet)
just don't forget to change ditailes (ip addresses, Hosts etc..)
Wating to see how we could helpout.