4 Replies Latest reply: Mar 23, 2013 10:19 AM by ccannefax RSS

    ASP Parsing Question

    sansjim

      Hello all,

       

      I am new here and have a couple of questions about ASP Parsing.

       

      I have a syslog string coming in from my UNIX systems that I would like to write a custom rule for.  The sample is below:

       

      <85>Feb 20 10:09:42 hostname dzdo:    user1 : TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=dstuser ; COMMAND=/usr/sbin/service rsyslogd restart

       

      On the parsing tab of the rule creation screen it gives me the option of including or not including the syslog header in the regex calculation.  If I don't select this and put a regex in to match everything else (.+), The header is identified as:

       

      <85>Feb 20 10:09:42 hostname

       

      Question 1 Do these three values automatically get mapped to specific fields like "last time" or "host"?

       

      Question 2 The name of the process that is generating these events is called dzdo.  This does not get recognized as part of the header from what I can see so if I use the optional "Provide a process name......" option will it match this event if I enter dzdo in that field?

       

      Thanks,

       

      Jim

        • 1. Re: ASP Parsing Question
          artek

          Hello Jim,

           

          in my opinion, it is not good idea to create a parse rule like yours: (.+). In this case all syslog messages will be catched by that rule, so - regardless of the content of the message - all events will be classified by that rule. If you have a trouble with using of regex, you can try to use http://gskinner.com/RegExr/ webpage.

           

          For example - in your case you can use the following regex - this is a version for enabled including the syslog header option:

           

          (\S+):    (\S+) : (\S+) ; PWD=(\S+) ; USER=(\S+) ; COMMAND=(.+)

           

          Then you can map the six capturing groups to suitable variables, like user, command, process or so one.

           

          Regards,

          Artur Sadownik

          • 2. Re: ASP Parsing Question
            sansjim

            Artur,

             

            Thank you for the response, though that isn't really what I was looking for so maybe I wasn't clear.

             

            The only reason I used the .+ is to initially see what part of the event was considered the header if I left the "Include syslog header in regular expression match" unchecked.  The regular expresion that I actually used is:

             

            \s(dzdo):\s+(\S+)\s:\sTTY=(\S+)\s\S\sPWD=(\S+)\s\S\sUSER=(\S+)\s\S\sCOMMAND=(.+)

             

            What I did find interesting as I was doing this is that there is actually a problem using a semi-colon in a regular expression in the ESM.  If you use a semi-colon in the regular expression, the expression will get truncated at the point of the semi-colon and the rest of the expression will be removed.  I actually had to replace the semi-colons with \S so that it would actually take my full expression.

             

            Since my post, I have actually been able to generate events so my first question about the mapping of the header fields has been answered.  If you have any insight on the second question regarding the process name, I would appreciate it.

             

            Thanks,

             

            Jim

            • 3. Re: ASP Parsing Question
              artek

              Jim,

               

              in this case you can try to use the ascii format for semi-colon:

               

              \x3b

               

              (http://www.asciitable.com/)

               

              For example:

               

              ESM10.PNG

               

              Regards,

              Artur Sadownik

              • 4. Re: ASP Parsing Question
                ccannefax

                To supplement Artek's post, I find it useful to print out (and hang up in your cube) the ascii table and hex codes for escaped characters. Quick reference.

                 

                If you are currently using ASP rules for something and are looking on how / what to parse for something coming in, copy the rule (and disable) and paste a raw log sample to use as sample data.  When walking thru logic for the copied rule, you can see how it parses fields. Use that to understand logic and it doesn't really hurt provided you are using disabled duplicate rules (which is why you disable).

                 

                I will test these rules with my PC by using a syslog generator with sample data (use current timestamps though) and setting up my PC data source in a different policy testing only my test rules.