Regular Expressions 101

Community Library Entry

10

Regular Expression
PCRE (PHP <7.3)

/
.+HappyMK\s?(?<action>\S+)\s(?<chain>\w+):\sin:(?<int_in>\S+)\sout:(?<int_out>\S+), src-mac\s(?<src_mac>\S+),\sproto\s(?<prot>\w+)(\s(?<flags>\S+),|,)\s(?<src_ip>\b(?:\d{1,3}\.){3}\d{1,3}\b):(?<src_port>\d+)->(?<dest_ip>\b(?:\d{1,3}\.){3}\d{1,3}\b):(?<dest_port>\d+),(\s(?<NAT>\w+)\s\((?<src_nat_localip>\b(?:\d{1,3}\.){3}\d{1,3}\b):(?<src_nat_local_port>\d+)->(?<src_nat_public_ip>\b(?:\d{1,3}\.){3}\d{1,3}\b):(?<src_nat_public_port>\d+)\)->(?<dest_nat_ip>\b(?:\d{1,3}\.){3}\d{1,3}\b):(?<dest_nat_port>\d+),)?(\sprio\s(?<prio>\d+->\d+),)?\slen\s(?<len>\d+)
/

Description

Regex used in Splunk to extract fields from Mikrotik FW. NOTES:

  • Mikrotik must be configured to use "BSD Syslog" format
  • FW rules must add, as log prefix, the action:
    • drop
    • accep
    • reject
    • etc...
Submitted by HappyIdeasMaker - 10 years ago