i have the following problem and no Idea how to solve it:

I have a Logline from our VPN Server which looks like this:
2021-11-11 16-56-00, connect, PartnerIP=, VPNIP=, User="Computername.Domain.de"

My Problem is, that our SIEM System does not accept Computer Accounts for VPN Connections. It only allows User Accounts. Thats why i need to transform it into:

2021-11-11 16-56-00, connect, PartnerIP=, VPNIP=, User="Username@Domain.de"

The connection between Computer and User is stored in a MS SQL Database or in a CSV/TXT File.

Is it possible to replace the Computer Entry with the corresponding Username and then send it to a Syslog server?
I did not found a possibility to load something like a key-Value List.

AskedNovember 11, 2021 - 5:04pm

Answer (1)

Hello Sir,

You can read the csv / txt file ,
use regex to parse the vpn username to find the specific line,
after that you can re-use regex not to get the vpn user but the username you need on that line.