I’m trying to extract some data from a particular field using Pipelines and while I think I understand it theoretically, I can’t seem to wrap my head around making it happen.
We have a Palo Alto firewall with a VPN. We get logs showing tons of attempted logins from non-allowed users, but all of the data for those fields is locked into one field called vendor_event_description. Here’s an example:
failed authentication for user ‘fakeuser’. Reason: User is not in allowlist. auth profile ‘RSA_Radius_GP’, vsys ‘vsys1’, auth protocol ‘unknown RADIUS authentication protocol’, From: 186.x.x.x.
What I want is to extract the user and the IP address so that we can analyze them and see if we can do anything to limit connection activity. Can anyone explain to me how I can do that? I understand pipelines in concept but I don’t know how I get from “verify the field called vendor_event_description exists” to “extract two fields from the block of text.”
Thanks!