Regex for Parsing Syslog in NetMon
The following regex files can be used to parse NetMon's Syslog output from the LogRhythm SIEM's MPE Rule Builder.
^(?>[^<]+)<(?>[^:]+):(?<severity>[^>]+)>.*?LogRhythmDpi: EVT:003 (?<session>\S+):\S+\s+<sip>,<dip>,<sport>,<dport>,<smac>,<dmac>,<protnum>,((?<vmid>\d+)|(?<process>.*?)),<bytesin>/\d+,<bytesout>/\d+,<packetsin>/\d+,\d+,\d+,(?<seconds>\d+)/\d+(.*?,login=(?<login>.*?)(,|$))?(.*?(?<=,)domain=(?<domain>.*?)(,|$))?(.*?dname=(?<group>.*?)(,|$))?(.*?command=(?<command>.*?)(,|$))?(.*?sender=.*?(?<sender>\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b))?(.*?recipient=.*?(?<recipient>\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b))?(.*?subject=(?<subject>.*?)(,|$))?(.*?version=(?<version>.*?)(,|$))?(.*?object=(/+|(?<object>.*?)(?=,url=)|(?<object>.*?))(,|$))?(.*?objectname=(?<objectname>.*?)(,|$))?(.*?url=(/+|(?<url>.*?))$)? |
Normal End of Flow
^(?>[^<]+)<(?>[^:]+):(?<severity>[^>]+)>.*?LogRhythmDpi: EVT:001 (?<session>\S+):\S+ <sip>,<dip>,<sport>,<dport>,<smac>,<dmac>,<protnum>,((?<vmid>\d+)|(?<process>[^,]*)),(<bytesin>(/\d+)?)?,(<bytesout>(/\d+)?)?,(<packetsin>(/\d+)?)?,[^,]*,[^,]*,((?<seconds>\d+)(/\d+)?)?(.*?(?<=,)login=(?<login>[^$,]*)(,|$))?(.*?(?<=,)domain=(?<domain>.*?)(,|$))?(.*?dname=(?<group>[^$,]*)(,|$))?(.*?command=(?<command>[^$,]*)(,|$))?(.*?sender=((?<sender>support@logrhythm.com),|.*?<(?<sender>.*?)>,|(?<sender>.*?),))?(.*?recipient=(.*?<(?<recipient>.*?)>,|(?<recipient>.*?),|"<recipient>"))?(.*?subject=(?<subject>.*?)(,|$))?(.*?(?<=,)version=(?<version>.*?)(,|$))?(.*?object=(/+|(?<object>.*?)(?=,url=)|(?<object>[^$,]*))(,|$))?(.*?objectname=(?<objectname>[^$,]*)(,|$))?(.*?url=(/+|(?<url>[^$,]*))(,|$))? |
Query Rule Alarm
(?=^.*?EVT:005)^.*?<.*?:(?<severity>\w+)>.*?LogRhythmDpi: EVT:005 (?<objectname>.*?),(?<session>\S+):\S+ <sip>,<dip>,<sport>,<dport>,<smac>,<dmac>,<protnum>,((?<vmid>\d+)|(?<process>.*?)),<bytesin>/\d+,<bytesout>/\d+,<packetsin>/\d+,\d+,\d+,(?<seconds>\d+)/\d+(,|$)? |
Deep Packet Analytics Rule Alarm
(?=^.*?EVT:010)^.*?:(?<severity>\w+)>.*?LogRhythmDpi: EVT:010 \S+:\d+ <sip>,<dip>,<sport>,<dport>,<smac>,<dmac>,<protnum>,\d+,<bytesin>(/\d+)?,<bytesout>(/\d+)?,<packetsin>(/\d+)?,.*?,.*?,((?<seconds>\d+)(/\d+)?)?(.*?login=(?<login>.*?)(,|$))?(.*?(?<=,)domain=(?<domain>.*?)(,|$))?(.*?dname=(?<group>.*?)(,|$))?(.*?command=(?<command>.*?)(,|$))?(.*?sender=.*?(?<sender>\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b))?(.*?recipient=.*?(?<recipient>\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b))?(.*?subject=(?<subject>.*?)(,|$))?(.*?(?<=,)version=(?<version>.*?)(,|$))?(.*?object=(/+|(?<object>.*?)(?=,url=)|(?<object>.*?))(,|$))?(.*?objectname=(?<objectname>.*?)(,|$))?(.*?url=(/+|(?<url>.*?))(,|$))?(.*?DeepScript:rulename=(?<vmid>.*?),ruleid=\d+,alarmid=(?<session>.*?)(,|$))?
|
NetMon Diagnostics
code=(?<vmid>\S*) severity=(?<severity>\S*) servicename=(?<process>\S*) event=(?<tag1>(?<command>\S*))( user=(?<login>\S*))?(\s|$)(ip=<sip>(\s|$))?(message=(?<subject>(session (?<session>.*?))\w+)$)?(message=(?<subject>.*?)$)? |
