Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..
1671 views

Extract data from $message using a local variable

Jump to solution

Good morning Protect!

     Lets try this again, I feel like i'm making progress with this, I just can't get the final piece. I currently have this: asdfsafsaf.png

I have an action to set event field device custom string 4 to $output and when the rule fires my correlated event just has $output in device custom string 4.  Why isn't this working?  this particular event $message is a unix log and has 30+ digits and I just want the username.

Labels (1)
0 Likes
23 Replies
Highlighted
Absent Member.
Absent Member.

Great! Give the regex I provided you above a try and see what it does for you. I can walk you through what it's doing if you need.

0 Likes
Highlighted
Absent Member.
Absent Member.

Sorry, I just realized you have things before "user:". So here's a modified version of the regex that I think should work.

$message.replaceAll('Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')

0 Likes
Highlighted
Absent Member.
Absent Member.

Sometimes the rules engine can take up to 5 minutes to apply a change I've noticed. If possible I would recommend creating a channel that's very small and has the events you want in it and use that to test your rule. It'll be much faster.

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

yea i was gonna say that is a lot closer it removed everything after user and left the user name there is another word before authentication as well but it is confidential so I removed it.  Do i need to start with that word and add a [^\s]+?

0 Likes
Highlighted
Absent Member.
Absent Member.

Not quite. Basically I just typed all of the static words in there exactly as they would appear and then for the ones that contain things you don't want to share or may not be static I inserted [^\s]+ (if you're not familiar with it, it means anything except a whitespace character). So in this case if you have a single word in front of "Authentication" and it will always be the same, then you would just need to type that word in front of "Authentication". If that word is somewhat variable, then you would just put "[^\s]+ Authentication..." Let me know how that turns out for you.

0 Likes
Highlighted
Absent Member.
Absent Member.

To further clarify, you would only need either the word (if static) or the "[^\s]+ " (if not static). You won't need both in this case since it does not have a dynamic value that follows it.

0 Likes
Highlighted
Absent Member.
Absent Member.

You might need to modify it a little to make sure that it actually matches the things you have in the message field. You have things like <Active Directory> in there that I am guessing are single words with no space characters, but if any of them may contain a space then your regex will need to be modified. If it's just replicating the event.message then that means the regex is not matching. Since we added more in you'll have to compare the logic against the message and see if it looks like it should match to you. Unfortunately since you're not able to share these messages we won't be able to troubleshoot that part of it. But at the least you now have it working and just need to refine the regex. If possible, could you provide a version of the message that has the same number of character (replacing anything you can't share with something of equal value)? That way I can try to troubleshoot the regex vs what you are actually seeing.

Say you have the event message "Classified user: james.jameson account: 1222222" and you can't share the name, number, or word "Classified", then you would put something like this:

"Abcdefghij user: faker.fakeson account: 000000000"

That just shows where special characters or multiple words might exist to help with the regex.

0 Likes
Highlighted
Absent Member.
Absent Member.

It may also be possible to do this:

$message.replaceAll('.*user: ([^\s]+).*','$1')

But I'm not entirely sure if that would work. That just adds a ".*" saying everything before "user:", but that part might match on "user:" as well and not produce anything. Worth a try if you don't see an easy fix for the regex.

View solution in original post

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

abc_abc: Authentication

0 Likes
Highlighted
Absent Member.
Absent Member.

$message.replaceAll('[^\s] Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')

That should work barring any of the things you enclosed in <> containing spaces.

0 Likes
Highlighted
Absent Member.
Absent Member.

Sorry, forgot to add a "+". It should read:

$message.replaceAll('[^\s]+ Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

Sorry I got really busy, all of a sudden and wasn't able to work on this.  It is now working!  Thank you so much for taking the time to assist me with this!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.