Hi all,

Sorry to come with an other new question about that but I don't understand why the regex didn't match the Message:

regexp /(?x)^\s?\[(\d+):(\d+):(\d+)\] (.+?) \[Classification: (.+?)\] \[Priority: (\d+)] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?/ doesn't match subject string '[129:20:1] TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} ->'

If I compare that on Online regex site (PCRE), it works.


AskedFebruary 15, 2020 - 2:08pm

Comments (5)

  • cmiscloni's picture

    Already tried without (?x), this option enable for me the debug of the regex in the log file;
    I tried on regex101.com too and it works but not in nxlog enterprise or CE.

  • cmiscloni's picture

    Yes, see below:

    define ROOT /opt/nxlog/bin

    <Extension gelfExt>
    Module xm_gelf
    # Avoid truncation of the short_message field to 64 characters.
    ShortMessageLength 65536

    <Extension syslogExt>
    Module xm_syslog

    User xxxxx
    Group xxxxx

    Moduledir /opt/nxlog/lib/nxlog/modules
    CacheDir /opt/nxlog/var/spool/nxlog//data
    PidFile /opt/nxlog/var/run/nxlog/nxlog.pid
    LogFile /opt/nxlog/var/log/nxlog/nxlog.log
    LogLevel DEBUG

    <Input snort>
    SavePos TRUE
    ReadFromLast TRUE
    Module im_file
    File "/var/log/syslog"

    if $message =~ /^\s?\[(\d+):(\d+):(\d+)\] (.*?) \[Classification: (.+?)\] \[Priority: (\d+)\] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?\R?/
    $snort_alert = 'true';
    $generator_id = $0;
    $signature_id = $1;
    $signature_revision_id = $2;
    $description = $3;
    $classification = $4;
    $priority = $5;
    $protocol = $6;
    $src_addr = $7;
    $src_port = $9;
    $dst_addr = $10;
    $dst_port = $12;
    else drop();

    <Output gelf>
    Module om_udp
    Host xxxxxxxxxxxxxxxxxxxx
    Port xxxxxxxxxxxxxxx
    OutputType GELF_UDP
    # These fields are needed for Graylog
    $gl2_source_collector = 'xxxxxxxxxxxxxxxxxxxx';
    $collector_node_id = 'xxxxxxxxxxxxxx';
    $ShortMessage = $raw_event;

  • manuel.munoz's picture

    Please, use this regex, I have checked it against your event.

    /\[(\d+):(\d+):(\d+)\] (.*?) \[Classification: (.+?)\] \[Priority: (\d+)\] \{(.+?)\} (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:(\d{1,5}))?/

    Also pleaes take into account you are missing a to_syslog()/to_json() in order to build your destination event including the newly added fields.

Answer (1)