Skip navigation

Multiple data patterns for one Data Collector

score 40
You have not voted. On Roadmap

Hi All,

 

Sometimes log files contain heterogeneous information and it's complicated to make a single pattern to extract all pieces of data. Using single primary pattern can result in huge unreadable regular expression which is also hard to maintain.

 

The idea is to have an ability to create and apply multiple patterns for different types of messages/log records to one data collector. This would greatly simplify pattern development and maintenance.

 

As an example, take the piece of log file from cisco firewall (Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events - Cisco Systems):

Aug 24 2007 10:27:22: %ASA-6-106015: Deny TCP (no connection) from 192.168.208.63/49827 to 192.168.150.70/80 flags ACK on interface outside
Aug 24 2007 10:27:22: %ASA-6-302020: Built ICMP connection for faddr 192.168.208.63/15343 gaddr 192.168.150.70/0 laddr 192.168.150.70/0
Aug 24 2007 10:27:22: %ASA-6-302015: Built inbound UDP connection 732748 for outside:192.168.208.63/49804 (192.168.208.63/49804) to inside:192.168.150.70/53 (192.168.150.70/53)
Aug 24 2007 10:27:22: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.208.63/0 gaddr 192.168.150.70/0 laddr 192.168.150.70/0

 

There are several types of messages (deny/built/teardown). Each type can contain different set of fields for extraction.

It would be more easy to write 3 simple regex than putting all together in one monstrous expression.

 

Regards,

Anton

Comments

Vote history