Highlighted
Trusted Contributor.. ganchu1 Trusted Contributor..
Trusted Contributor..
226 views

Help with multiline Syslog regex flexconnector

I developing for multiline syslog regex flexconnector but that can't concanate logs to one line. 

Sample log is:

<109>1 2019-04-17T01:18:12.265Z user.organization.local 4320 DeviceLockAudit - - ...Alert Success (8) Computer: USER DateTime: 04/17/19 09:18:02 - 04/17/19 09:18:02 Username: DOMAIN\USER Process_name: C:\Program Files\Microsoft Office\Office16\OUTLOOK.EXE Source: MAPI (529) Action: (2) Name: (7) Info: %INFO
Name Outgoing File Outgoing Message
(6 Attachment(s)) DEPART - USER - 1626 < 0 1
user@organization.com> => USER - DEPT
- 1626 <admin@organization.com>
image001.jpg 1 0
image002.jpg 1 0
image003.jpg 1 0
image004.jpg 1 0
image005.jpg 1 0
image006.jpg 1 0
EndOfLine

0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Help with multiline Syslog regex flexconnector

Hi @ganchu1 

suggestion:

remove the multine stuff from you parser and add

(?s) after "regex="  to your regex,

(?s)
 match the remainder of the pattern with the following effective flags: gms
s modifier: single line. Dot matches newline characters

 

May help

Cheers

A

0 Likes
Trusted Contributor.. ganchu1 Trusted Contributor..
Trusted Contributor..

Re: Help with multiline Syslog regex flexconnector

Removed multiline related lines and added ?s before my regex string like this. but it doesn't parse multi lines.

regex=?s.*Alert (\\S+).*Computer\: (\\S+).*DateTime\: (\\d+\/\\d+\/\\d+ \\d+\:\\d+\:\\d+).*Username\: (\\S+) Process_name\: (.*) Source\: (\\S+).*Action\: (.*) Name\: (.*) Info\: (.*)\\sEndOfLine

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Help with multiline Syslog regex flexconnector

regex=(?s).*Alert (\\S+).*Computer\: (\\S+).*DateTime\: (\\d+\/\\d+\/\\d+ \\d+\:\\d+\:\\d+).*Username\: (\\S+) Process_name\: (.*) Source\: (\\S+).*Action\: (.*) Name\: (.*) Info\: (.*)\\s

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.