jan
August 21, 2019, 8:16am
2
I would like to point out that it is not nice to poist the same question twice:
Hi,
we’ve FW attack messages has the following forms, the difference is the Number of Attack sessions per message,
Example for message has 1 session:
2019/06/03 12:30:43 FirewallName %%01ATK/4/FIREWALLATCK(1):AttackType=”Trace route attack”, slot=”5”, cpu=”2”, receive interface=”GE8/0/0 ”, proto=”ICMP”, ip=”sIP1:sPort1->dIP1:dPort1” , begin time=2019/06/03 12:30:15 DST, end time=2019/06/03 12:30:43 DST, total packets=”9”, max speed=”0”, Action=”discard”.
Example for message has 3 sessions:
2…
it does not look that a person can help you currently.
I personal would first use a key-value on like:
key_value(value: to_string(message), trim_value_chars: "\"", trim_key_chars:"\"", delimiters:", ", kv_delimiters:"=");
After that you need to define if all sIP should be as array in IP_From or if you want to have numbered fields for that and work some kind of grouped regex that does what you like to have.
