Regular Expressions 101

Community Patterns

LogRhythm - Parser - Forcepoint Email Gateway

0

Regular Expression
PCRE (PHP <7.3)

/
^\"(?<timestart>\d{4}\/\d{2}\/\d{2}\s\d{2}\:\d{2}\:\d{2})?([\"|\,]*)?(?<recipient>[\w|\.|\-|_|\d]*@(?<domainimpacted>[\w|\.|\-|_|\d]*))?([\"|\,]*)?(?<subject>[\w|\s|\#|\@|||\d|\!|\$|\%|\^|\,|\.|\(|\)|\[|\]|\{|\}|\:|\-|\&|\*|\'|\=|\+]*)?([\"|\,]*)?(?<action>\w*)?([\"|\,]*)?(?<sender>[\w|\.|\-|_|\d]*@(?<domainorigin>[\w|\.|\-|_|\d]*))?([\"|\,]*)?(?<account>[\w|\.|\-|_|\d|\,|\s]*)?([\"|\,]*)?(?<status>[\w|\.|\-|_|\d]*)?([\"|\,]*)?(?<object>[\w|\.|\-|_|\d]*)?([\"|\,]*)?(?<reason>[\w|\.|\-|_|\d]*)?([\"|\,]*)?(?<policy>[\w|\.|\-|_|\d]*)?([\"|\,]*)?(?<objecttype>[\w|\.|\-|_|\d|\s|\,]*)?([\"|\,]*)?(?<size>[\d]*)?([\"|\,]*)?(?<command>[\w|\.|\-|_|\d]*)?([\"|\,]*)?(?<objectname>[\w|\.|\-|_|\d]*)?([\"|\,]*)?(?<threatname>[\w|\.|\-|_|\d]*)?([\"|\,]*)?
/
gm

Description

This parser has been built based on a request I've seen in the LogRhythm Community (https://community.logrhythm.com/t5/MPE-Rules/Forcepoint-Websense-Parsing/m-p/395753#M1713). As we know. we are have no options to change the tags names based on the right names that we have in the logging format. So that is a kind of limitation that we face in the platform from indexing perspective. So avoid change the tags names that we have selected here.

Submitted by anonymous - 4 years ago