Looks like there may be a bug in the DSM editor regex validation with some specific escape sequences that should be fixed in a future release.
You can try this instead:
<142>Oct 4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|defaultEventID:
bmserver[[]\d+.:\s[^|]+[|][^|]+[|]([^|]+)Username: bmserver[[]\d+.:\s[^|]+[|][^|]+[|][^|]+[|]([^|]+)
It's a slight modification but contains fewer escape sequences and seems to work fine in the editor's validation.
And then apply the same pattern to the ecelerity pattern.
------------------------------
Chris Collins
Team Lead / Senior Cloud Integrations Developer
IBM QRadar Integration Team - New Integrations
------------------------------
Original Message:
Sent: Thu October 10, 2019 02:22 AM
From: Davit Ubilava
Subject: Symantec Message Gateway log parsing problem
------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
TbilisiGeorgia
Original Message:
Sent: Wed October 09, 2019 11:48 AM
From: Chris Collins
Subject: Symantec Message Gateway log parsing problem
Presuming that bmserver and ecelerity processes are sending data in different formats (since the username follows the eventId in the former and the IP/port in the latter) here's some you could try.
==================================
<142>Oct 4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default
EventID: bmserver\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
Username: bmserver\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
==================================
<142>Oct 4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173
EventID: ecelerity\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
Source IP: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|:]*) - Capture Group 1
Source Port: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|[^|:]*:(\d+) - Capture Group 1
------------------------------
Chris Collins
Original Message:
Sent: Fri October 04, 2019 10:02 AM
From: Davit Ubilava
Subject: Symantec Message Gateway log parsing problem
Hello,
I have a Symantec Message Gateway log parsing problem and I choose to manually parse.
Symantec Message Gateway DSM is not supported by QRadara
Log example:
<142>Oct 4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default
<142>Oct 4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173
Can you tell me please what regex cods do I need to use to parse |VERDICT| , test@test.com , |ACCEPT| , 192.168.0.5:14173 this values?
please, see attached log example
thank you
------------------------------
Davit Ubilava
System Administrator
Delta Consulting LLC
TbilisiGeorgia
------------------------------