Forum Discussion

Marek Stelcik's avatar
Marek Stelcik
Copper Contributor
Aug 15, 2023

Extract from syslog

Hello can someone please help me with extract regex expression?

I have syslog message that have this structure

1692086254.870677475 XXXXXX flows src=XXXX dst=XXXXX protocol=tcp sport=58296 dport=445 pattern: allow all

or

1692086279.965148294 XXXXflows src=XXXXX dst=XXXXX mac=00:XXXXX:XX protocol=udp sport=56182 dport=53 pattern: allow (dst 192.168.10.0/24) && (src 172.26.0.0/15)

or

1692087314.799126634 XXXXflows src=XXX dst=XXX protocol=tcp sport=443 dport=65472 pattern: deny all

 

 

i would need to extract the pattern value allow or deny only. I was thinking somethink like

Syslog

|extend pattern = extract(@'pattern: \"[A-Za-z]+ \"', 1, SyslogMessage),

 

but not works as expected. Can you please help me. Basically it will always be prefixed with pattern: and then allow or deny and space

KQL
  • Marek Stelcik's avatar
    Marek Stelcik
    Aug 18, 2023
    This works
    pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),
  • raphaelcustodiosoares's avatar
    raphaelcustodiosoares
    Iron Contributor
    Aug 15, 2023

    Hello

    try

    Syslog
    | where has("pattern") and (tostring(dynamic(["allow", "deny"]) in tostring(pattern)))
    | project Timestamp, src, dst, protocol, sport, dport, pattern

     

     

    Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

    • Marek Stelcik's avatar
      Marek Stelcik
      Copper Contributor
      Aug 16, 2023

      raphaelcustodiosoares 

      unfortunately it does not work for me:

      Query could not be parsed at 'has' on line [2,8] Token: has Line: 2 Position: 8 Request id: 2e66e81d-d5e5-412c-9130-6d27512cd854

       

      • Marek Stelcik's avatar
        Marek Stelcik
        Copper Contributor
        Aug 18, 2023
        This works
        pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),

Share

Resources