We have Silverfort for backend MFA protection and I recently built the regex parsers for ingesting those events into InsightIDR. Was curious if anyone wanted me to share the parsing regex?
I also have quite a few others I can share like Canon ImageRunner Syslog and far more verbose parsing for the Citrix Netscalers (parses all of the events we use not just the SSLVPN logs) and Cisco Umbrella (Will actually capture the user and dns category) than the default parser provides.
I write all of my parsers in regex as I find they are more flexible and accurate than the highlight method.
Sharing is caring, I for one would love to see some of your regex, feel free to share!!!
Would love to see your Netscaler regex’s, I have created my own but go the hybrid route where I highlight then go back and update the regex to make it more accurate.
I have the following regex’s if anyone is interested:
- DHCP - added ‘source’ to the data as Rapid7 doesn’t parse this field. Not always there, but can be useful if it is
- DNS - regex to parse unparsed logs
- Checkpoint - Rapid7 does not parse the following fields: Policy name, rule name, rule number
I have more, but they are for less common apps.
There should be a channel or thread dedicated to best practices for log ingest configurations and parsing. People shouldn’t have to recreate the wheel if someone else already figured it out.