Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
sanhyongt1
sanhyongt1 Absent Member.
Absent Member.
‎2016-05-13 11:35
910 views

Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Hi guys,

I am trying to extract source Username and Address information from the [message] field.

Palo Alto CEF event:

CEF:0|Palo Alto Networks|PAN-OS|6.0.7|general|SYSTEM|$number-of-severity|rt=May 13 2016 03:41:51 GMT deviceExternalId=001701006145 cs3Label=Virtual System cs3= fname= flexString2Label=Module flexString2=general msg="failed authentication for user 'testuser'.   vsys 'shared', From: 192.168.10.10." externalId=160979 cat=auth-fail

Palo Alto Message value:

msg="failed authentication for user 'testuser'.   vsys 'shared', From: 192.168.10.10."

Regex Mapping done:

regex.event.message,set.expr(message).event.sourceUserName,set.expr(message).event.sourceAddress

""failed authentication for user '\S+'.*From: \d+\.\d+\.\d+\.\d+.*"","__regexToken(message,"""failed authentication for user '(\S+)'.*From.*""")","__regexToken(message,"""failed authentication for user '\S+'.*From: (\d+\.\d+\.\d+\.\d+)\.""")"

Issue:

For testing, I used CEF File connector and send its output to CEF file and CSV file.

However, I don't see any related errors in agent.log and the fields (sourceHostUserName and sourceAddress) are not being mapped.

Can anyone advise how I can go about debug this issue? Or is there anything wrong with my regex expression?

Thanks.

EDIT: Hey guys, I used Tom's variables method on ESM instead.

0 Likes
Reply
1 Solution

Accepted Solutions
Lewuu
Lewuu Super Contributor.
Super Contributor.
‎2016-05-13 18:36

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Would something like this assist you..

View solution in original post

Palo_Alto_-_destination_User_Info.arb.zip
0 Likes
Reply
6 Replies
Michel Beaudry
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.
‎2016-05-13 13:23

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Hi Sanhyongt,

You may have a look at this presentation made in Protect'14, that might give you a hint https://www.protect724.hpe.com/message/54085#comment-54085

Regards,

Michel

0 Likes
Reply
Highlighted
sanhyongt1
sanhyongt1 Absent Member.
Absent Member.
‎2016-05-13 15:47

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Thanks Michel for the resource, but I have followed through the pointers which were indicated in the Flex Dev guide like the double quotes, and other necessary parameters.

I took reference from   as well but still no go.

0 Likes
Reply
Lewuu
Lewuu Super Contributor.
Super Contributor.
‎2016-05-13 18:36

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Would something like this assist you..

View solution in original post

Palo_Alto_-_destination_User_Info.arb.zip
0 Likes
Reply
sanhyongt1
sanhyongt1 Absent Member.
Absent Member.
‎2016-05-16 10:06

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Thanks Tom, I have tried to import the package, but when I tried to "edit" the rule, it produced a "Java Negative Array Exception".

0 Likes
Reply
Lewuu
Lewuu Super Contributor.
Super Contributor.
‎2016-05-17 16:06

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

probably an dependency on the base "Activate Package" --  I'll see if I can repackage and repost

0 Likes
Reply
sanhyongt1
sanhyongt1 Absent Member.
Absent Member.
‎2016-05-19 13:39

Re: Help on Regex extraction and Mapping - Palo Alto Firewall

Jump to solution

Thanks a lot, Tom.

I loaded mine with Activate Base package and the variables method used is very useful.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.