Highlighted
Established Member.. emanuelpalmeira1
Established Member..
1012 views

flexconnector - regex pfsense

Hello, my name is Emanuel Palmeira, iam currently using arcsight regex tool to create a flexconnector for pfsense logs, and i have yellow in message and submessage, and S.M.Pattern does not turn red. For some reason it is not working. I will paste the code here, maybe someone already had that kind of problem.

raw log for each pattern:

S.M.Pattern[0] : <134>Jul 12 15:05:47 filterlog: 99,16777216,,1464185881,re1,match,pass,in,4,0x0,,126,31382,0,none,17,udp,85,1.1.1.1,2.2.2.2,4909,53,65

S.M.Pattern[1] : <134>Jul 12 15:05:47 filterlog: 99,16777216,,1464185881,re1,match,pass,in,4,0x0,,62,55891,0,DF,6,tcp,60,1.1.1.1,2.2.2.2,17938,443,0,S,1229475840,,14600,,mss;sackOK;TS;nop;wscale

S.M.Pattern[2] : <134>Jul 12 15:05:47 filterlog: 99,16777216,,1464185881,re1,match,pass,in,4,0x0,,125,26193,0,DF,6,tcp,52,1.1.1.1,2.2.2.2,20476,443,0,S,2900331658,,8192,,mss;nop;wscale;nop;nop;sackOK

FlexAgent Regex Configuration File

# FlexAgent Regex Configuration File

do.unparsed.events=true

regex=<(\\d*)>(\\w+) (\\d*) (\\d*\:\\d*\:\\d*) (filterlog)\: (\\d*),(\\d*),(.*),(\\d*),(\\w+),(match),(pass|block),(in|out),(\\d*),((\\d*)x(\\d*)),(.*),(\\d*),(\\d*),(\\d*),(\\w*),(\\d*),(udp|tcp|icmp),(\\d*),(\\d*\\.\\d*\\.\\d*\\.\\d*),(\\d*\\.\\d*\\.\\d*\\.\\d*),(.*)

token.count=28

token[0].name=LogEntry

token[0].type=String

token[1].name=month

token[1].type=String

token[2].name=day

token[2].type=Integer

token[3].name=time

token[3].type=Time

token[4].name=log

token[4].type=String

token[5].name=RuleNumber

token[5].type=Integer

token[6].name=SubRuleNumber

token[6].type=Integer

token[7].name=Anchor

token[7].type=String

token[8].name=Tracker

token[8].type=Integer

token[9].name=RealInterface

token[9].type=String

token[10].name=ReasonForLogEntry

token[10].type=String

token[11].name=actionTakenResultedInLogEntry

token[11].type=String

token[12].name=directionOfTraffic

token[12].type=String

token[13].name=ipVersion

token[13].type=Integer

token[14].name=TypeofServiceIdentification

token[14].type=String

token[15].name=TypeofService1

token[15].type=Integer

token[16].name=TypeofService2

token[16].type=Integer

token[17].name=explicitCongestionNotification

token[17].type=String

token[18].name=timetoLiveofthePacket

token[18].type=Integer

token[19].name=IDofThePacket

token[19].type=Integer

token[20].name=FragmentOffset

token[20].type=Integer

token21].name=IPFlags

token[21].type=String

token[22].name=ProtocolId

token[22].type=Integer

token[23].name=ProtocolText

token[23].type=String

token[24].name=lenght

token[24].type=Integer

token[25].name=SourceAddress

token[25].type=IPAddress

token[26].name=TargetAddress

token[26].type=IPAddress

token[27].name=resto

token[27].type=String

submessage.messageid.token=ProtocolId

submessage.token=resto

event.deviceCustomNumber2=RuleNumber

event.deviceCustomNumber1=lenght

event.deviceAction=actionTakenResultedInLogEntry

event.deviceVendor=__stringConstant(pfsense)

event.deviceProduct=__stringConstant(pfsense)

event.destinationAddress=__numberToAddress(TargetAddress)

event.deviceCustomString1Label=ProtocolText

event.deviceDirection=__ifThenElse(directionOfTraffic,"in",0,1)

event.sourceAddress=__numberToAddress(SourceAddress)

severity.map.veryhigh.if.deviceSeverity=0,1

severity.map.high.if.deviceSeverity=2,3

severity.map.medium.if.deviceSeverity=4,5

severity.map.low.if.deviceSeverity=6,7

#l10n.filename.prefix=

submessage.count=3

submessage[0].messageid=6

submessage[0].pattern.count=2

submessage[0].pattern[0].regex=

submessage[0].pattern[0].fields=event.name

submessage[0].pattern[1].regex=(\\d+),(\\d+\\.\\d+\\.\\d+\\.\\d+),(\\d+\\.\\d+\\.\\d+\\.\\d+),(\\d+),(\\d+),(\\d+),(S|A|.|F|R|P|U|E|W),(\\d+),(.*),(\\d+),(.*),(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS)

submessage[0].pattern[1].fields=event.name

submessage[1].messageid=17

submessage[1].pattern.count=1

submessage[1].pattern[0].regex=(\\d+),(\\d+),(\\d+)

submessage[1].pattern[0].fields=event.deviceCustomNumber1,event.deviceCustomNumber3,event.destinationPort

submessage[1].pattern[0].types=Integer,Integer,Integer

submessage[1].pattern[0].mappings=$1|$3|$2

# Default submessage descriptor

submessage[2].pattern.count=3

submessage[2].pattern[0].regex=

submessage[2].pattern[0].fields=event.name

submessage[2].pattern[1].regex=(\\d+),(\\d+),(\\d+),(S|A|.|F|R|P|U|E|W),(\\d+),(.*),(\\d+),(.*),(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(wscale|mss|sackOK|TS|nop)

submessage[2].pattern[1].fields=event.destinationPort,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.deviceCustomString1Label,event.deviceCustomString2Label,event.deviceCustomString3Label,event.deviceCustomString4Label,event.fileSize

submessage[2].pattern[1].names=$1,$2,$3,$4,$5,$7,$9,$10,$11,$12,$13

submessage[2].pattern[1].mappings=$2|$3|$4|$5|$7|$9|$10|$11|$12|$13|$1

submessage[2].pattern[2].regex=(\\d*),(\\d*),(\\d*),(S|A|.|F|R|P|U|E|W),(\\d*),(.*),(\\d*),(.*),(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale)

submessage[2].pattern[2].fields=event.fileSize,event.destinationPort,event.deviceCustomNumber1,event.devceCustomNumber1Label,event.deviceCustomNumber2,event.deviceCustomString2,event.deviceCustomString2Label,event.deviceCustomString3,event.deviceCustomString3Label,event.deviceCustomString4,event.deviceCustomString4Label,event.deviceInboundInterface

submessage[2].pattern[2].names=$1,$2,$3,$4,$5,$7,$9,$10,$11,$12,$13,$14

submessage[2].pattern[2].mappings=$1|$2|$3|$5|$7|$9|$10|$11|$12|$13|$14|$4

Thank you

Best regards

Emanuel Palmeira

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.