responses
Hi team,
I'm sure this should be easy, but I'm not having much luck finding the answer elsewhere, can any of you help me?
So I have (McAfee Firewall) log entries that look like this:
Time: 10/23/2020 08:09:36 AM
Event: Traffic
IP Address: 172.19.0.113
Description: SNMP SERVICE
Path: C:\Windows\System32\snmp.exe
Message: Allowed Incoming UDP - Source 172.19.0.113 : (52676) Destination 172.23.25.135 : snmp (161)
Matched Rule: Adaptive Rule - snmp.exe
I've got this being parsed as a multiline log entry with the following:
Module xm_multiline
HeaderLine /^Time:.*/
EndLine /^Matched Rule:.*/
Module im_file
File 'C:\ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log'
PollInterval 1
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
InputType 5f917c0781064d07c2e8486a-multiline
So far so good - I get a multiline message come through, but I'd now like to parse it.
So my first step is to split out the individual lines - ideally in the above eample I'd split the above message into 7 fields:
'Time' -> '10/23/2020 08:09:36 AM'
'Event' -> 'Traffic'
'IP Address' -> 172.19.0.113
...etc
So I'm guessing there's an Exec section required and some regex work, but I've not managed to get anything to work yet - has anyone else done anything similar here?
thanks in advance,
Jim