IBM Security QRadar

 View Only

  • 1.  LSX Time Parser

    Posted Fri August 21, 2020 07:08 AM
    Hi everone,

    I have a log source which sends the logs as below.

    NONE              17  200812 105222 OK login:uid

    In the middle, we have 200812 105222. This numbers are corresponding as

    20->  year
    08-> month

    12-> day

    10-> hour

    52-> minute

    22-> seconds

    We need to write it in lsx (xml) file to upload as a log source extention, however we could not find a way to type its regex.

    Could you offer a way to figure it out?

    Thank you in advance for your help.

    Regards. 



    ------------------------------
    Halil BALIM
    ------------------------------


  • 2.  RE: LSX Time Parser

    Posted Tue August 25, 2020 01:11 PM
    Hi Halil,

    I would recommend using the DSM Editor for this rather than manually writing an LSX XML.

    For regex, the following should work and hopefully will match other events too, though with only one sample it's hard to define a regex that will match everything:

    \d+\s+(\d{6} \d{6})\s+\w+

    Then for the Date Format value use:

    yyMMdd HHmmss

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: LSX Time Parser

    Posted Thu August 27, 2020 03:06 AM
    Hi Colin,
    Thank you for your help. 
    It helps us a lot.
    Regards.


    ------------------------------
    Halil BALIM
    ------------------------------

    Original Message