Noobie here looking for some guidance.
I’ve read through the custom parsing tool document a few times and I get it but I’m still having some trouble with what I’m trying to extract from my Sonicwall firewall logs.
Example of normal log you’d use with custom parse tool (as seen on Using the Parsing Tool in InsightIDR - YouTube):
2019-10-01 13:50:47 10.0.0.241 GET /SMS_MP/.sms_aut MPLIST 80 - 10.0.0.241 SMS_MP_CONTROL_MANAGER - 200 0 0 410 4
I get that from this, I’d just be highlighting the fields I want and then naming them, then the rule would be able to extract them.
Unparsed source_data from my firewall log:
<129> id=firewall sn=ABCDEF123456 time="2021-09-28 17:41:32 UTC" fw=126.96.36.199 pri=1 c=32 gcat=3 m=609 src=188.8.131.52:5078:X2 dst=172.31.255.251:5060:X7 msg="IPS Prevention Alert: SCAN SIPVicious Activity 1, SID: 5616, Priority: Medium" msg="IPS Prevention Alert: SCAN SIPVicious Activity 1" sid=5616 ipscat="SCAN SIPVicious Activity 1" ipspri=2 n=1302 pktdatId=7013041180384428203 fw_action="drop"
At first I thought I’d extract id, sn, time, fw, gcat, fw_action, etc but then I realized that’s not correct since I would want to be selecting the actual values of those fields, not the fields themselves (or both). So would I be selecting only the field values in this case? For example, for id=firewall I would just select firewall? Otherwise it’s like I’d need to pre-parse them before parsing them.