Attribute pair when both key and value are within quotation marks.

Forum|Forum|1 year ago
October 1, 2024
2 replies
1175 views

132>1 2024-09-30T19:28:50.597024Z adadsads61.irasp.etta asd.asdt.gads.asda.com NILVALUE NILVALUE - {"adf":true,"significant":0,"udf":false,"virtualservice":"virtualservice-333afa37-f201-4d1c-bc3f-3fe7a5e337fa","report_timestamp":"2024-09-30T19:28:50.597024Z","service_engine":"z9900001awaf401-se-jmonv","vcpu_id":0,"log_id":123935,"client_ip":"199.19.253.11","client_src_port":25458,"client_dest_port":443,"client_rtt":8,"ssl_version":"TLSv1.3","ssl_cipher":"TLS_AES_256_GCM_SHA384","sni_hostname":"asd.asdt.gads.asda.com","request_state":"AVI_HTTP_REQUEST_STATE_SSL_HANDSHAKING","significant_log":["ADF_CLIENT_CONNECTION_CLOSED_BEFORE_REQUEST"],"vs_ip":"1.1.111.10","ocsp_status_resp_sent":true,"max_ingress_latency_fe":0,"avg_ingress_latency_fe":0,"conn_est_time_fe":8,"source_ip":"199.19.253.11","vs_name":"asd.asdt.gads.asda.com"}

Best answer by cdurkin_FTNT

Most of the log is JSON .. try using the collectAndSetAttrByJSON function ... and map your own attributes below ...

</collectAndSetAttrByJSON>

PascalAuthor

New Member

Based on the above log, what would be the best way to map these attributes? The following is a snippet of what I've done, it works to identify the logs and I can define a type based on the significant_log using regex and use to change , but I can't seem to parse the attribute pairs.

patternDefinitions> <pattern name="patnsxlb"><![CDATA[\"([a-zA-Z_]*?)\":]]></pattern> <pattern name="patnsxbody"><![CDATA[{.*}]]></pattern> <pattern name="patsiglog"><![CDATA[\[.*]]]></pattern> </patternDefinitions> <eventFormatRecognizer><![CDATA[<:gPatYear>-<:gPatMonNum>-<:gPatDay>T<:gPatTime>\.\d+Z\s+<:gPatFqdn>\s+<:gPatFqdn>\s+NILVALUE\s+NILVALUE]]></eventFormatRecognizer> <parsingInstructions> <collectFieldsByRegex src="$_rawmsg"> <regex><![CDATA[<:gPatYear>-<:gPatMonNum>-<:gPatDay>T<:gPatTime>\.\d+Z\s+<:gPatFqdn>\s+<:gPatFqdn>\s+NILVALUE\s+NILVALUE\s+-\s<_body:patnsxbody>]]></regex> </collectFieldsByRegex> <collectAndSetAttrByKeyValuePair kvsep=":" sep=" ," src="$_body"> <attrKeyMap attr="Significant" key="Significant"/> <attrKeyMap attr="virtualservice" key="virtualservice"/> <attrKeyMap attr="devicetime" key="report_timestamp"/> <attrKeyMap attr="targetUser" key="runAs"/> <attrKeyMap attr="destIpAddr" key="server_ip"/> <attrKeyMap attr="destIpPort" key="server_dest_port"/> <attrKeyMap attr="srcIpAddr" key="client_ip"/> <attrKeyMap attr="srcIpPort" key="client_dest_port"/> <attrKeyMap attr="httpMethod" key="method"/> <attrKeyMap attr="serverrtt" key="server_rtt"/> <attrKeyMap attr="httpStatusCode" key="server_response_code"/> <attrKeyMap attr="httpContentLen" key="server_response_length"/> <attrKeyMap attr="httpUserAgent" key="user_agent"/> <attrKeyMap attr="tlsVersion" key="ssl_version"/> <attrKeyMap attr="webContextPath" key="uri_path"/> <attrKeyMap attr="uriQuery" key="uri_query"/> <attrKeyMap attr="rewrittenuriQuery" key="rewritten_uri_query"/> <attrKeyMap attr="destName" key="host"/> <attrKeyMap attr="persistenceUsed" key="persistence_used"/> <attrKeyMap attr="persistent_session_id" key="persistent_session_id"/>