Absent Member.
Absent Member.

Variables in FlexConnector parsing

Hello SIEMers,

I have to develop a FlexConnector for an iptable type log source. The log uses headers and blocks to convey information common to many lines. Here is an example:

Date (mm/dd/yy) : 02/02/02   Time (hr:min:sec) : 02:02:02

Chain INPUT (policy ACCEPT x packets, xx bytes)

num       pkts      bytes      target          prot      opt      in     out     source         destination       

1         xxK       xxxM      ACCEPT          all       --  lo     any     anywhere             anywhere          

2         xxxx6K  xxxM      ACCEPT          all       --  any    any     anywhere             anywhere          

3             0          0 DROP       all  --       any         any     anywhere             anywhere           

4             0          0 DROP       all  --       any              any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)

num   pkts bytes target     prot opt in     out     source               destination       

1    qweqw1529K ACCEPT     all  --  any    any     anywhere             anywhere          

2        0     0 DROP       all  --  any    any     anywhere             anywhere            

3        0     0 DROP       all  --  any    any     anywhere             anywhere          

ifconfig stats for BLA-BLA:

RX=>   Errors: 0   Dropped: 0   Overruns: 0   Frame: 0

TX=>   Errors: 0   Dropped: 0   Overruns: 0   Carrier: 0   Collisions: 0

Date (mm/dd/yy) : 02/02/02   Time (hr:min:sec) : 02:33:02

...and the process repeats        

So there are many problems here. First the date should apply to all of the lines. Second, there are many types of iptables (INPUT, FORWARD, etc), and each line in the table must correspond to a type. FInally, as you can see, there are no obvious patterns from line to line...

Lastly, I cannot preprocess the file. This is what I have to live with.

Any suggestions?

Labels (2)
1 Reply
Acclaimed Contributor.
Acclaimed Contributor.

Re: Variables in FlexConnector parsing

Hi Richard,

you can do sub-message technique for make it simple. since you have date and time for every new log and some log may contains different types of ip tables. You can break it into 2 parts. then do the sum messaging. sometime you may need marge multiple lines into 1 line and do multi-line parsing.



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.