QRadar

Expand all | Collapse all

Symantec Message Gateway log parsing problem

  • 1.  Symantec Message Gateway log parsing problem

    Posted 17 days ago
      |   view attached
    Hello,

    I have a Symantec Message Gateway log parsing problem and I choose to manually parse.
    Symantec Message Gateway DSM is not supported by QRadara

    Log example:

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    <142>Oct  4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173

     

    Can you tell me please what regex cods do I need to use to parse |VERDICT| , test@test.com , |ACCEPT| , 192.168.0.5:14173 this values?

    please, see attached log example

    thank you



    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------

    Attachment(s)

    txt
    MX2.txt   7K 1 version


  • 2.  RE: Symantec Message Gateway log parsing problem

    Posted 12 days ago
    Presuming that bmserver and ecelerity processes are sending data in different formats (since the username follows the eventId in the former and the IP/port in the latter) here's some you could try.

    ==================================

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    EventID: bmserver\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
    Username: bmserver\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1

    ==================================

    <142>Oct  4 15:42:03 mx2 ecelerity[2815]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|ACCEPT|192.168.0.5:14173
    EventID: ecelerity\[\d+\]:[^|]*\|[^|]*\|([^|]*)\| - Capture Group 1
    Source IP: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|([^|:]*) - Capture Group 1
    Source Port: ecelerity\[\d+\]:[^|]*\|[^|]*\|[^|]*\|[^|:]*:(\d+) - Capture Group 1


    ------------------------------
    Chris Collins
    ------------------------------



  • 3.  RE: Symantec Message Gateway log parsing problem

    Posted 11 days ago
    Thank you very much

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------



  • 4.  RE: Symantec Message Gateway log parsing problem

    Posted 11 days ago
    it says "Illegal escape sequence in regec" :(



    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------



  • 5.  RE: Symantec Message Gateway log parsing problem

    Posted 11 days ago
    The regex is definitely fine, it's even showing in the preview. I'll check into it and get back to you ASAP.

    ------------------------------
    Chris Collins
    ------------------------------



  • 6.  RE: Symantec Message Gateway log parsing problem

    Posted 11 days ago
    Looks like there may be a bug in the DSM editor regex validation with some specific escape sequences that should be fixed in a future release.

    You can try this instead:

    <142>Oct  4 15:42:03 mx2 bmserver[2537]: 1570189323|50538744-c7fff70000000aff-82-5d97300b77b1|VERDICT|test@test.com|none|default|default

    EventID: bmserver[[]\d+.:\s[^|]+[|][^|]+[|]([^|]+)
    Username: bmserver[[]\d+.:\s[^|]+[|][^|]+[|][^|]+[|]([^|]+)

    It's a slight modification but contains fewer escape sequences and seems to work fine in the editor's validation.

    And then apply the same pattern to the ecelerity pattern.

    ------------------------------
    Chris Collins
    Team Lead / Senior Cloud Integrations Developer
    IBM QRadar Integration Team - New Integrations
    ------------------------------



  • 7.  RE: Symantec Message Gateway log parsing problem

    Posted 10 days ago
    It worked partially.

    Thank you for help

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------



  • 8.  RE: Symantec Message Gateway log parsing problem

    Posted 10 days ago
    Is it QRadar 7.3.2 Patch 4 bug? Regex is showing in the preview but cannot click ok button

    ------------------------------
    Davit Ubilava
    System Administrator
    Delta Consulting LLC
    TbilisiGeorgia
    ------------------------------