Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
808 Views 4 Replies Latest reply: Mar 23, 2013 10:19 AM by ccannefax RSS
sansjim Newcomer 4 posts since
Mar 27, 2012
Currently Being Moderated

Feb 21, 2013 11:02 AM

ASP Parsing Question

Hello all,

 

I am new here and have a couple of questions about ASP Parsing.

 

I have a syslog string coming in from my UNIX systems that I would like to write a custom rule for.  The sample is below:

 

<85>Feb 20 10:09:42 hostname dzdo:    user1 : TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=dstuser ; COMMAND=/usr/sbin/service rsyslogd restart

 

On the parsing tab of the rule creation screen it gives me the option of including or not including the syslog header in the regex calculation.  If I don't select this and put a regex in to match everything else (.+), The header is identified as:

 

<85>Feb 20 10:09:42 hostname

 

Question 1 Do these three values automatically get mapped to specific fields like "last time" or "host"?

 

Question 2 The name of the process that is generating these events is called dzdo.  This does not get recognized as part of the header from what I can see so if I use the optional "Provide a process name......" option will it match this event if I enter dzdo in that field?

 

Thanks,

 

Jim

  • artek Apprentice 76 posts since
    Sep 11, 2012
    Currently Being Moderated
    1. Feb 24, 2013 5:02 PM (in response to sansjim)
    Re: ASP Parsing Question

    Hello Jim,

     

    in my opinion, it is not good idea to create a parse rule like yours: (.+). In this case all syslog messages will be catched by that rule, so - regardless of the content of the message - all events will be classified by that rule. If you have a trouble with using of regex, you can try to use http://gskinner.com/RegExr/ webpage.

     

    For example - in your case you can use the following regex - this is a version for enabled including the syslog header option:

     

    (\S+):    (\S+) : (\S+) ; PWD=(\S+) ; USER=(\S+) ; COMMAND=(.+)

     

    Then you can map the six capturing groups to suitable variables, like user, command, process or so one.

     

    Regards,

    Artur Sadownik

  • artek Apprentice 76 posts since
    Sep 11, 2012
    Currently Being Moderated
    3. Feb 25, 2013 3:26 PM (in response to sansjim)
    Re: ASP Parsing Question

    Jim,

     

    in this case you can try to use the ascii format for semi-colon:

     

    \x3b

     

    (http://www.asciitable.com/)

     

    For example:

     

    ESM10.PNG

     

    Regards,

    Artur Sadownik

  • ccannefax Newcomer 12 posts since
    Nov 13, 2012
    Currently Being Moderated
    4. Mar 23, 2013 10:19 AM (in response to artek)
    Re: ASP Parsing Question

    To supplement Artek's post, I find it useful to print out (and hang up in your cube) the ascii table and hex codes for escaped characters. Quick reference.

     

    If you are currently using ASP rules for something and are looking on how / what to parse for something coming in, copy the rule (and disable) and paste a raw log sample to use as sample data.  When walking thru logic for the copied rule, you can see how it parses fields. Use that to understand logic and it doesn't really hurt provided you are using disabled duplicate rules (which is why you disable).

     

    I will test these rules with my PC by using a syslog generator with sample data (use current timestamps though) and setting up my PC data source in a different policy testing only my test rules.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points