Hi, I am trying to extract the first valid common mac address out of several different message entries. I can do it with different Grok Extractors, but am wanting to do it with Regex so I can do conversions on the Mac to all lower case. Below are some sample messages and the Grok Patterns that work.
Question, how would I convert these Grok extractors to regex and or is there a single regex that would work in all 4 examples? Basically the regex would just need to match the first valid MAC address in each string and extract it.
Sample 1:
Equinox: *spamApTask1: Mar 20 15:26:04.033: #CAPWAP-3-ECHO_ERR: capwap_ac_sm.c:7019 Did not receive heartbeat reply; AP: 00:3a:9a:48:9b:40
Sample 2:
Equinox: *spamReceiveTask: Mar 17 12:34:39.264: #CAPWAP-3-DTLS_CONN_ERR: capwap_ac.c:934 00:3a:9a:30:f5:90: DTLS connection not found forAP 192.168.99.74 (43456), Controller: 192.168.99.2 (5246) send packet
Sample3:
Equinox: *spamApTask1: Mar 22 08:35:14.562: #LWAPP-4-SIG_INFO1: spam_lrad.c:44474 Signature information; AP 00:14:1b:61:f8:40, alarm ON, standard sig NULL probe resp 1, track per-Macprecedence 2, hits 1, slot 0, channel 1, most offending MAC 00:00:00:00:00:00 #yes but must make Mac lowercase
Sample 4:
Equinox: *idsTrackEventTask: Mar 22 08:40:13.816: #WPS-4-SIG_ALARM_OFF: sig_event.c:656 AP 00:14:1B:61:F8:40 : Alarm OFF, standard sig NULL probe resp 1, track=per-Mac preced=2 hits=1 slot=0 channel=1 yes but must make Mac lowercase
I am wanting to do an extractor type of “RegEx” as Grok patterns do not allow you to do a conversion to lower case. RegEx will allow you to do the conversion.
In this case use pipelines. You can convert to lower.
So Pipeline, use grok or regex, and make lower it.
Or you can user extractor for mac, and pipeline to convert it.
After that you can make the lookup from pipeline.
Ok, here is my pipline rule. Basically, I extract the value for WLC_APBaseMac. This is the mac address that needs to be lower case. The BaseMac is then used in a series of lookups to populate all the other named fields. Trying to figure out where to use the lowercase function. I tried using it on the
line “set_field(“WLC_APBaseMac”,apbasemac);”, but it would not allow me to use the function on a variable. Where do I need to use the function?
rule “Extract_AP_BaseMAC”
when
regex("(?<=#)CAPWAP-3-ECHO_ERR|CAPWAP-3-DTLS_CONN_ERR|WPS-4-SIG_ALARM_OFF|LWAPP-4-SIG_INFO1([^;]+)", to_string($message.message)).matches == true
then
let message_field = to_string($message.message);
let apbasemac = grok(pattern:"%{FirstCommonMac:WLC_APBaseMac}", value: message_field, only_named_captures: true);
set_field(“WLC_APBaseMac”,apbasemac);
let APName = lookup_value(“APNameLookupbyBaseMac”, $message.WLC_APBaseMac);
let APip = lookup_value(“APIPLookupbyBaseMac”, $message.WLC_APBaseMac);
let APswitch = lookup_value(“APSwitchLookupbyBaseMac”, $message.WLC_APBaseMac);
let APswitchport = lookup_value(“APSwitchPortLookupbyBaseMac”, $message.WLC_APBaseMac);
set_field(“WLC_APName”, APName);
set_field(“WLC_APIP”, APip);
set_field(“WLC_APSwitch”, APswitch);
set_field(“WLC_APSwitchPort”, APswitchport);
end
