I need a solution
I am looking to feed my DLP events via syslog to my SIEM. Here is the regex being used to parse the syslog:
:(?<severity>\w+)>.*?\|BLOCKED=(?<process>.*?)\s.*?FILE_NAME=(?<object>.*?)\s.*?INCIDENT_ID=(?<session>\d+)\sINCIDENT_SNAPSHOT=((?<url>.*?)|(?<objectname>.*?))\sMATCH_COUNT=(?<quantity>.*?)\sRULES=(?<group>.*?)\sPROTOCOL=(?<protname>\w+)(.*?POLICY=(?<vmid>.*?)\s)?.*?RECIPIENTS=(?<recipient>.*?)\s.*?SENDER=(?<sender>.*?)\s.*?SUBJECT=(?<subject>.*?)\sTARGET=
I am looking to match my syslog format to the parsing format. Any help would be appriciated.
Thank you,
Matt
0