5 Replies Latest reply on Nov 4, 2015 8:06 AM by rorik.koster

    Parser creation

    ravismallah

      Hi , in my environment we have large variety of data source many of which are customized and required creation of parser as they are not out of the box supported. While creating the parser i m stuck at matching a random sentence , if any one has also faced this kind of issue please share any resolution for the same.

       

      Secondly what kind of parser technology is used in SIEM , is it java based perl based or something else ??

        • 1. Re: Parser creation
          rorik.koster

          Greetings!

           

          If you're able to modify the outbound message from your data source you might look at putting a delimiter around the random sentence, this could be quotation marks or any other character that does not show up within the data that you're trying to match.  After that is completed simply modify your regex to match your delimiter followed by NOT your delimiter followed by your delimiter.  For example, if you do decide to use quotation marks your regex would look like this "([^"]+)"  or if you want the hex equivalent \x22([^\x22]+)\x22

           

          Short of that I think I would need more information about what your messages look like in order to assist further.  So far as I can tell ASP uses a perl engine, but that's a better question for the McAfee ESM developers!

           

          Hope that's helpful.

           

          Best Regards,

          Rorik

          • 2. Re: Parser creation
            itzamlan

            ravismallah

            You need to use PCRE that is perl based regexes for the parsing.

            By the way, could you tell where are you testing your regular expressions before you can deploy those as parsers?

            • 3. Re: Parser creation
              ravismallah

              Hi itzamlan , i am testing the parser on www.RegExr.com. 

              • 4. Re: Parser creation
                ravismallah

                Hi Rorik, i have tried you suggestion and it seems to work in the expected manner. Let me match it with my other logs also.

                 

                thanks a ton

                 

                Ravi

                • 5. Re: Parser creation
                  rorik.koster

                  Not a problem Ravi!

                   

                  I enjoy www.RegExr.com but have also found www.Regex101.com to be very helpful as well.

                   

                  Best Regards,

                  Rorik