Forum Discussion
Parsing syslog
1. i am ingesting firewall logs as syslog and trying to parse out the fields accordingly using the split command, i have a problem that the beginig of the logs is not piped and i have made the split ...
you could use the extract method here is an example
let LogHeader = meraki_CL
| extend Parser = extract_all(@"(\d+.\d+)\s([\w\-\_]+)\s([\w\-\_]+)\s([\S\s]+)$",dynamic([1,2,3,4]),Message)
| mv-expand Parser
| extend Epoch = tostring(Parser[0]),
DeviceName = tostring(Parser[1]),
LogType = tostring(Parser[2]),
Substring = tostring(Parser[3])
| extend EpochTimestamp = split(Epoch,".")
| extend EventTimestamp = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))
| project-away EpochTimestamp, Parser,Message;
let UrlEvents = LogHeader
| where LogType == "urls"
| extend SrcIpAddr = extract(@"src=([0-9\.]+)\:",1,Substring),
SrcPortNumber = toint(extract(@"src=([0-9\.]+)\:(\d+)\s",2,Substring)),
DstIpAddr = extract(@"dst=([0-9\.]+)\:",1,Substring),
DstPortNumber = toint(extract(@"dst=([0-9\.]+)\:(\d+)\s",2,Substring)),
HttpRequestMethod = extract(@"request: (\w+)\s",1,Substring),
Url = extract(@"request: (\w+)\s(\S+)",2,Substring)
| project-away Substring;
let LogHeader = meraki_CL
| extend Parser = extract_all(@"(\d+.\d+)\s([\w\-\_]+)\s([\w\-\_]+)\s([\S\s]+)$",dynamic([1,2,3,4]),Message)
| mv-expand Parser
| extend Epoch = tostring(Parser[0]),
DeviceName = tostring(Parser[1]),
LogType = tostring(Parser[2]),
Substring = tostring(Parser[3])
| extend EpochTimestamp = split(Epoch,".")
| extend EventTimestamp = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))
| project-away EpochTimestamp, Parser,Message;
let UrlEvents = LogHeader
| where LogType == "urls"
| extend SrcIpAddr = extract(@"src=([0-9\.]+)\:",1,Substring),
SrcPortNumber = toint(extract(@"src=([0-9\.]+)\:(\d+)\s",2,Substring)),
DstIpAddr = extract(@"dst=([0-9\.]+)\:",1,Substring),
DstPortNumber = toint(extract(@"dst=([0-9\.]+)\:(\d+)\s",2,Substring)),
HttpRequestMethod = extract(@"request: (\w+)\s",1,Substring),
Url = extract(@"request: (\w+)\s(\S+)",2,Substring)
| project-away Substring;