I am trying to extract source Username and Address information from the [message] field.
Palo Alto CEF event:
CEF:0|Palo Alto Networks|PAN-OS|6.0.7|general|SYSTEM|$number-of-severity|rt=May 13 2016 03:41:51 GMT deviceExternalId=001701006145 cs3Label=Virtual System cs3= fname= flexString2Label=Module flexString2=general msg="failed authentication for user 'testuser'. vsys 'shared', From: 192.168.10.10." externalId=160979 cat=auth-fail
Palo Alto Message value:
msg="failed authentication for user 'testuser'. vsys 'shared', From: 192.168.10.10."
Regex Mapping done:
""failed authentication for user '\S+'.*From: \d+\.\d+\.\d+\.\d+.*"","__regexToken(message,"""failed authentication for user '(\S+)'.*From.*""")","__regexToken(message,"""failed authentication for user '\S+'.*From: (\d+\.\d+\.\d+\.\d+)\.""")"
For testing, I used CEF File connector and send its output to CEF file and CSV file.
However, I don't see any related errors in agent.log and the fields (sourceHostUserName and sourceAddress) are not being mapped.
Can anyone advise how I can go about debug this issue? Or is there anything wrong with my regex expression?
EDIT: Hey guys, I used Tom's variables method on ESM instead.
Thanks Tom, I have tried to import the package, but when I tried to "edit" the rule, it produced a "Java Negative Array Exception".
Thanks a lot, Tom.
I loaded mine with Activate Base package and the variables method used is very useful.