QRadar

Expand all | Collapse all

Symantec Message Gateway log parsing problem

  • 1.  Symantec Message Gateway log parsing problem

    Posted Fri October 04, 2019 10:03 AM
      |   view attached
    Hello,

    I have a Symantec Message Gateway log parsing problem and I choose to manually parse.
    Symantec Message Gateway DSM is not supported by QRadara

    Log example:

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    <142>Oct  4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173

     

    Can you tell me please what regex cods do I need to use to parse |VERDICT| , test@test.com , |ACCEPT| , 192.168.0.5:14173 this values?

    please, see attached log example

    thank you



    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Attachment(s)

    txt
    MX2.txt   7K 1 version


  • 2.  RE: Symantec Message Gateway log parsing problem

    Posted Wed October 09, 2019 11:49 AM
    Presuming that bmserver and ecelerity processes are sending data in different formats (since the username follows the eventId in the former and the IP/port in the latter) here's some you could try.

    ==================================

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    EventID: bmserver\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
    Username: bmserver\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1

    ==================================

    <142>Oct  4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173
    EventID: ecelerity\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
    Source IP: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|:]*) - Capture Group 1
    Source Port: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|[^|:]*:(\d+) - Capture Group 1


    ------------------------------
    Chris Collins
    ------------------------------



  • 3.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 02:13 AM
    Thank you very much

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------



  • 4.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 02:22 AM
    it says "Illegal escape sequence in regec" :(



    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------



  • 5.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 08:40 AM
    The regex is definitely fine, it's even showing in the preview. I'll check into it and get back to you ASAP.

    ------------------------------
    Chris Collins
    ------------------------------



  • 6.  RE: Symantec Message Gateway log parsing problem

    Posted Thu October 10, 2019 01:55 PM
    Looks like there may be a bug in the DSM editor regex validation with some specific escape sequences that should be fixed in a future release.

    You can try this instead:

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    EventID: bmserver[[]\d+.:\s[^|]+[|][^|]+[|]([^|]+)
    Username: bmserver[[]\d+.:\s[^|]+[|][^|]+[|][^|]+[|]([^|]+)

    It's a slight modification but contains fewer escape sequences and seems to work fine in the editor's validation.

    And then apply the same pattern to the ecelerity pattern.

    ------------------------------
    Chris Collins
    Team Lead / Senior Cloud Integrations Developer
    IBM QRadar Integration Team - New Integrations
    ------------------------------



  • 7.  RE: Symantec Message Gateway log parsing problem

    Posted Fri October 11, 2019 02:29 AM
    It worked partially.

    Thank you for help

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------



  • 8.  RE: Symantec Message Gateway log parsing problem

    Posted Fri October 11, 2019 09:55 AM
    Is it QRadar 7.3.2 Patch 4 bug? Regex is showing in the preview but cannot click ok button

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------