IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Symantec Message Gateway log parsing problem

    Posted Fri October 04, 2019 10:03 AM
      |   view attached
    Hello,

    I have a Symantec Message Gateway log parsing problem and I choose to manually parse.
    Symantec Message Gateway DSM is not supported by QRadara

    Log example:

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    <142>Oct  4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173

     

    Can you tell me please what regex cods do I need to use to parse |VERDICT| , test@test.com , |ACCEPT| , 192.168.0.5:14173 this values?

    please, see attached log example

    thank you



    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Attachment(s)

    txt
    MX2.txt   7 KB 1 version


  • 2.  RE: Symantec Message Gateway log parsing problem

    Posted Wed October 09, 2019 11:49 AM
    Presuming that bmserver and ecelerity processes are sending data in different formats (since the username follows the eventId in the former and the IP/port in the latter) here's some you could try.

    ==================================

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    EventID: bmserver\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
    Username: bmserver\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1

    ==================================

    <142>Oct  4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173
    EventID: ecelerity\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
    Source IP: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|:]*) - Capture Group 1
    Source Port: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|[^|:]*:(\d+) - Capture Group 1

    ------------------------------
    Chris Collins
    ------------------------------

    Original Message


  • 3.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 02:13 AM
    Thank you very much

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Original Message


  • 4.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 02:22 AM
    it says "Illegal escape sequence in regec" :(



    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Original Message


  • 5.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 08:40 AM
    The regex is definitely fine, it's even showing in the preview. I'll check into it and get back to you ASAP.

    ------------------------------
    Chris Collins
    ------------------------------

    Original Message


  • 6.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 01:55 PM
    Looks like there may be a bug in the DSM editor regex validation with some specific escape sequences that should be fixed in a future release.

    You can try this instead:

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    EventID: bmserver[[]\d+.:\s[^|]+[|][^|]+[|]([^|]+)
    Username: bmserver[[]\d+.:\s[^|]+[|][^|]+[|][^|]+[|]([^|]+)

    It's a slight modification but contains fewer escape sequences and seems to work fine in the editor's validation.

    And then apply the same pattern to the ecelerity pattern.

    ------------------------------
    Chris Collins
    Team Lead / Senior Cloud Integrations Developer
    IBM QRadar Integration Team - New Integrations
    ------------------------------

    Original Message


  • 7.  RE: Symantec Message Gateway log parsing problem

    Posted Fri October 11, 2019 02:29 AM
    It worked partially.

    Thank you for help

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Original Message


  • 8.  RE: Symantec Message Gateway log parsing problem

    Posted Fri October 11, 2019 09:55 AM
    Is it QRadar 7.3.2 Patch 4 bug? Regex is showing in the preview but cannot click ok button

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Original Message