Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..
1236 views

Anyone want to Help me build an new Primitive Base Parser

Anyone want to tackle a fun project in the Quick FLex to build a parser for - Cylance Protect 

 

its a Syslog Parser - the agent is Syslog via TCP

 

08-23-2016 18:27:55 Local7.Debug 52.63.15.218 1 2016-08-24T01:27:01.4434447Z sysloghost CylancePROTECT - - - Event Type: Threat, Event Name: threat_quarantined, Device Name: TEST-DEV, IP Address: (192.168.10.138), File Name: Setup.exe, Path: C:\Users\test\AppData\Local\Temp\a2aarPfHPg\ikvfHG8B\, Drive Type: Internal Hard Drive, SHA256: FC4B40A33084FB965473D6B5A69B87B1930B4BBB7F5387B7D6C66E4069168931, MD5: 125F05165117D7C5A17B83B8347A9A9C, Status: Quarantined, Cylance Score: 89, Found Date: 8/24/2016 1:09:45 AM, File Type: Executable, Is Running: False, Auto Run: True, Detected By: BackgroundThreatDetection, Zone Names: (1,A Zone With A Very Long Name 123,Mac Zone,MM_Zone,Zone A,Zone B)

Labels (2)
0 Likes
14 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

you mean, the commas are showing up on your events?

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

So in the Quick Flex Parser  - the base Regex - splits out 21 unparsed log lines - 

 

So the RAW LOG - shows this after parsing 

ScriptControl,

The Token Filter shows this - 

ScriptControl, 

When all I need is the word with out the trailing comma 

I will need to do this for each line as the trailing comma is the separator for each area of the Message tag 

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Carlos,

 

If you could take a look at the csv in this zip folder attached - the regex was perfect until I ran it againsit this new set of events - when I was making the tokens in the QuickFlex tool 

this is only the raw event field from the captured channel.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.