This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Created on 07-21-2021 10:37 AM
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
Created on 07-22-2021 09:29 AM
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:22.214.171.124 (type 11, code 0) on inside interface. Original IP payload: tcp src 126.96.36.199/80 dst 172.16.200.159/37616. -->
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
This is a bit tough when the vendor's log is putting two different types of data into the same field. What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other. For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+". "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+ (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser. I would then just have two CollectFieldsbyRegex statements to catch each condition.
Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.