Solved: How do I regex and include in field value?

capilarity · ‎11-14-2013

I'm monitoring DHCP logs and I'm trying to separate out known device types with the aim of looking for unknown devices
The logs look like this:
11,11/14/13,00:00:51,Renew,10.31.33.80,SEP001D4595B090.domain.network.net,001D4595B090,,1745420288,0,,,

11,11/14/13,00:00:26,Renew,10.158.17.26,SEP00070E57638D.domain.network.net,00070E57638D,,2453602304,0,,,

11,11/14/13,00:00:09,Renew,10.138.0.165,SEP00070E576801.domain.network.net,00070E576801,,777519104,0,,,

11,11/14/13,00:00:08,Renew,10.31.81.20,SEP00070E166D6A.domain.network.net,00070E166D6A,,3095134208,0,,,

11,11/13/13,23:59:30,Renew,10.60.20.165,PCName11236547.domain.network.net,001F29D30E99,,27259500,0,,,

11,11/13/13,23:55:39,Renew,10.50.8.68,Laptop1254657.domain.network.net,001E0B8DE6DC,,6225026,0,,,

I can regex out the device name using the interactive field extractor on the hostname field

(?i)^(?:[^,]*,){5}(?P[^.]+)

but that lists all the host names:
SEP001D4595B090

SEP00070E57638D

SEP00070E576801

SEP00070E166D6A

PCName11236547

Laptop1254657

What I want to do is to be able to separate them out to device type so

SEP001D4595B090, SEP00070E57638D, SEP00070E576801 and SEP00070E166D6A can be marked as phones

PCName11236547 can be marked as a PC

Laptop1254657 can be marked as a laptop

anything that does not match can be more easily identified and the groups can be processed differently.

Have tried adding references such as "SEP" into the regex expression, but it gets used as an anchor and excluded from the results

eg (?i)^(?:[^,]*,){5}SEP(?P[^.]+)

This identifies all the phones, but they get listed without SEP in the field value
001D4595B090

00070E57638D

00070E576801

00070E166D6A

How do I include the regex search parameters in the result?

jtrucks · ‎11-14-2013

Tweak your phone identifier like this:

 (?i)^(?:[^,]*,){5}(?P<phonedevice>SEP[^.]+)

This pulls out those same field contents, but the entire contents of the field are now the value in the field. Do more of these for each device type like this:

(?i)^(?:[^,]*,){5}(?P<pcdevice>PC[^.]+)
(?i)^(?:[^,]*,){5}(?P<laptopdevice>Laptop[^.]+)

Another approach is to use a single named field for devicename (or some other field name) and then use eventtypes or tags to designate the various sub-device types. This would look like:

 (?i)^(?:[^,]*,){5}(?P<devicename>[^.]+)

Then define an eventtype for each one like:

eventtype name: phonedevice
definition: devicename=SEP*

Repeat that for each type of sub-device, or do the similar thing with tags if you prefer that route.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎11-14-2013

Tweak your phone identifier like this:

 (?i)^(?:[^,]*,){5}(?P<phonedevice>SEP[^.]+)

This pulls out those same field contents, but the entire contents of the field are now the value in the field. Do more of these for each device type like this:

(?i)^(?:[^,]*,){5}(?P<pcdevice>PC[^.]+)
(?i)^(?:[^,]*,){5}(?P<laptopdevice>Laptop[^.]+)

Another approach is to use a single named field for devicename (or some other field name) and then use eventtypes or tags to designate the various sub-device types. This would look like:

 (?i)^(?:[^,]*,){5}(?P<devicename>[^.]+)

Then define an eventtype for each one like:

eventtype name: phonedevice
definition: devicename=SEP*

Repeat that for each type of sub-device, or do the similar thing with tags if you prefer that route.

--
Jesse Trucks
Minister of Magic

capilarity · ‎11-14-2013

Works a treat!! Thanks

How do I regex and include in field value?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...