LogViewPlus Support

Sonicwall parser

https://www.logviewplus.com/forum/Topic491.aspx

By marcin.wrazidlo - 8 Apr 2020

I'm trying to set up a parser for the Sonicwall firewall.
I stop at moment on message.
I have two similar messages:
msg="Connection Closed" app=7927 n=12234655
msg="Connection Opened" app=49177 appName="General HTTPS" n=5319205
as you see on one is "appName". I worry that If this is missing in line, the parser will give me en error. Or not?
At moment whole message is in one column but I want to split it into different columns.
By LogViewPlus Support - 8 Apr 2020

Hi Marcin,

You are correct - the LogViewPlus PatternParser cannot parse 'optional' fields.  Often, the best thing to do in these situations is to parse the message into one column.

However, if you only have a small number of optional fields, it may be worth considering a Multi-Pattern.  Multi-patterns allow for multiple parsing patterns to be configured.  If the first one fails, the second one is used.  This might work in your scenario, but it starts to break down if fields can be provided out of order or if there are a lot of fields.

You might also want to consider writing a customer parser.

I think what is really needed here is some kind of key-value-pair parser.  I can see where this would be helpful and will take a look for the next release.  I will post back here when I have something available.

Hope that helps,

Toby
By marcin.wrazidlo - 8 Apr 2020

Hi Toby
Thanks for your response and info.
I will look into this multi parser.

Regarding key-value I think this will be useful in some cases, so waiting to hear about a new version of your app. 

Marcin