Sonicwall parser


Author
Message
marcin.wrazidlo
marcin.wrazidlo
New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)
Group: Forum Members
Posts: 12, Visits: 58
I'm trying to set up a parser for the Sonicwall firewall.
I stop at moment on message.
I have two similar messages:
msg="Connection Closed" app=7927 n=12234655
msg="Connection Opened" app=49177 appName="General HTTPS" n=5319205
as you see on one is "appName". I worry that If this is missing in line, the parser will give me en error. Or not?
At moment whole message is in one column but I want to split it into different columns.
LogViewPlus Support
LogViewPlus Support
Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)Forum Expert (925 reputation)
Group: Moderators
Posts: 656, Visits: 2K
Hi Marcin,

You are correct - the LogViewPlus PatternParser cannot parse 'optional' fields.  Often, the best thing to do in these situations is to parse the message into one column.

However, if you only have a small number of optional fields, it may be worth considering a Multi-Pattern.  Multi-patterns allow for multiple parsing patterns to be configured.  If the first one fails, the second one is used.  This might work in your scenario, but it starts to break down if fields can be provided out of order or if there are a lot of fields.

You might also want to consider writing a customer parser.

I think what is really needed here is some kind of key-value-pair parser.  I can see where this would be helpful and will take a look for the next release.  I will post back here when I have something available.

Hope that helps,

Toby

Edited Last Year by LogViewPlus Support
marcin.wrazidlo
marcin.wrazidlo
New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)New Member (16 reputation)
Group: Forum Members
Posts: 12, Visits: 58
Hi Toby
Thanks for your response and info.
I will look into this multi parser.

Regarding key-value I think this will be useful in some cases, so waiting to hear about a new version of your app. 

Marcin
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Login

Explore
Messages
Mentions
Search