Splitting multiline log into separate fields

View thread

JP_128812

Hi team,

I'm sure this should be easy, but I'm not having much luck finding the answer elsewhere, can any of you help me?

So I have (McAfee Firewall) log entries that look like this:

Time: 10/23/2020 08:09:36 AM

Event: Traffic

IP Address: 172.19.0.113

Description: SNMP SERVICE

Path: C:\Windows\System32\snmp.exe

Message: Allowed Incoming UDP - Source 172.19.0.113 : (52676) Destination 172.23.25.135 : snmp (161)

Matched Rule: Adaptive Rule - snmp.exe

I've got this being parsed as a multiline log entry with the following:

<Extension 5f917c0781064d07c2e8486a-multiline>

Module xm_multiline

HeaderLine /^Time:.*/

EndLine /^Matched Rule:.*/

<Input 5f917c0781064d07c2e8486a>

Module im_file

File 'C:\ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log'

PollInterval 1

SavePos True

ReadFromLast True

Recursive True

RenameCheck False

Exec $FileName = file_name(); # Send file name with each message

InputType 5f917c0781064d07c2e8486a-multiline

So far so good - I get a multiline message come through, but I'd now like to parse it.

So my first step is to split out the individual lines - ideally in the above eample I'd split the above message into 7 fields:

'Time' -> '10/23/2020 08:09:36 AM'

'Event' -> 'Traffic'

'IP Address' -> 172.19.0.113

...etc

So I'm guessing there's an Exec section required and some regex work, but I've not managed to get anything to work yet - has anyone else done anything similar here?

thanks in advance,

Jim