Regular expressions for popular event sources

This section provides regular expressions that are to be used for parsing events issued by popular event sources.

Certain event sources of different versions can generate events of different format, so it may be that the regular expressions provided in this section are not actual. In this case, you should correct the provided regular expressions.

FireEye

The events from FireEye products require the following regular expressions:

Events in CEF format

Field

Regular expression

URL1

filePath=([^\s]*?)\s

URL2

cs5=([^\s]*?)\s

MD5

fileHash=([^\s]*?)\s

SrcIp

src=([^\s]*?)\s

DstIp

dst=([^\s]*?)\s
Events in CSV format

Field

Regular expression

URL1

cnchost=([^,]*?),

URL2

objurl=([^,]*?),

MD5

fileHash=([^,]*?),

SrcIp

src=([^,]*?),

DstIp

dst=([^,]*?),

Blue Coat® SG

The events from Blue Coat SG products require the following regular expressions:

SYSLOG events

Field

Regular expression

URL

OBSERVED\s"(?:.*?)"\s(.*?)\s

URL2

http\s(.*?)\s\d+\s(.*?)\s

Websense

The events from Websense products require the following regular expressions:

CEF events

Field

Regular expression

URL

request\=(.*?)(?:\s|$)

IP address

dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
LEEF events

Field

Regular expression

URL

url\=(.*?)(?:\s|$)

IP address

dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
key-value pairs

Field

Regular expression

URL

url\=(.*?)(?:\s|$)

IP address

dst_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

Squid

The events from Squid product require the following regular expressions:

Field	Regular expression
URL	`(?:GET\|POST)\s(.*?)(?:\s)`

McAfee Web Gateway

The events from McAfee® Web Gateway products require the following regular expressions:

Standard events

Field

Regular expression

URL

url\=(.*?)(?:\|)

IP address

server_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\|)
CEF events

Field

Regular expression

URL

request\=(.*?)(?:\s|$)

IP address

dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
SYSLOG events

Field

Regular expression

URL

(?:GET|POST)\s(.*?)(?:\s)

Check Point URL Filtering

The events from Check Point URL Filtering products require the following regular expressions:

SYSLOG events

Field

Regular expression

IP address

(?:dst)\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Juniper Networks SRX

The events from Juniper Networks SRX products require the following regular expressions:

SYSLOG events

Field

Regular expression

IP address

(?:\sdestination-address)\="(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s

Check Point Firewall

The events from Check Point Firewall products require the following regular expressions:

SYSLOG events

Field

Regular expression

IP address

dst\:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Palo Alto Networks

The events from Palo Alto Networks products require the following regular expressions:

LEEF events

Field

Regular expression

IP address

dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
SYSLOG events

Field

Regular expression

IP address

(?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
CEF events

Field

Regular expression

IP address

dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

Fortinet FortiGate

The events from Fortinet FortiGate products require the following regular expressions:

SYSLOG events

Field

Regular expression

IP address

(?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Cisco IPS

The events from Cisco IPS products require the following regular expressions:

Field	Regular expression
IP address	`(?:dst.?\|to.?\|Dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`

Snort

The events from Snort® product require the following regular expressions:

UNIFIED2 events

Field

Regular expression

IP address

(?:destination.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
CSV events

Field

Regular expression

IP address

(?:.*?,.*?,.*?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Alternatively, you can use the following regular expressions for parsing events of all types:

Field	Regular expression
IP address	`(?:destination.?\|.?,.?,.?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`

Cisco IronPort

The events from Cisco IronPort® products require the following regular expressions:

SYSLOG events

Field

Regular expression

URL

(?:GET|POST)\s(.*?)\s

IP address

(?:NONE|DIRECT|DEFAULT_PARENT)\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Page top

Field	Regular expression
URL1	`filePath=([^\s]*?)\s`
URL2	`cs5=([^\s]*?)\s`
MD5	`fileHash=([^\s]*?)\s`
SrcIp	`src=([^\s]*?)\s`
DstIp	`dst=([^\s]*?)\s`

Field	Regular expression
URL	`OBSERVED\s"(?:.?)"\s(.?)\s`
URL2	`http\s(.?)\s\d+\s(.?)\s`

Field	Regular expression
URL	`request\=(.*?)(?:\s\|$)`
IP address	`dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s\|$)`

Field	Regular expression
URL	`url\=(.*?)(?:\s\|$)`
IP address	`dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s\|$)`

Field	Regular expression
URL	`url\=(.*?)(?:\\|)`
IP address	`server_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\\|)`

Field	Regular expression
URL	`(?:GET\|POST)\s(.*?)\s`
IP address	`(?:NONE\|DIRECT\|DEFAULT_PARENT)\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`