SOLVED

Extract from syslog

Hello can someone please help me with extract regex expression?

I have syslog message that have this structure

1692086254.870677475 XXXXXX flows src=XXXX dst=XXXXX protocol=tcp sport=58296 dport=445 pattern: allow all

or

1692086279.965148294 XXXXflows src=XXXXX dst=XXXXX mac=00:XXXXX:XX protocol=udp sport=56182 dport=53 pattern: allow (dst 192.168.10.0/24) && (src 172.26.0.0/15)

or

1692087314.799126634 XXXXflows src=XXX dst=XXX protocol=tcp sport=443 dport=65472 pattern: deny all

i would need to extract the pattern value allow or deny only. I was thinking somethink like

Syslog

|extend pattern = extract(@'pattern: \"[A-Za-z]+ \"', 1, SyslogMessage),

but not works as expected. Can you please help me. Basically it will always be prefixed with pattern: and then allow or deny and space

3 Replies

Hello

try

Syslog
| where has("pattern") and (tostring(dynamic(["allow", "deny"]) in tostring(pattern)))
| project Timestamp, src, dst, protocol, sport, dport, pattern

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

@raphaelcustodiosoares

unfortunately it does not work for me:

Query could not be parsed at 'has' on line [2,8] Token: has Line: 2 Position: 8 Request id: 2e66e81d-d5e5-412c-9130-6d27512cd854

This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),

1 best response

Accepted Solutions

This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),

View solution in original post