Regular expressions for popular event sources
April 11, 2024
ID 171633
This section provides regular expressions that are to be used for parsing events issued by popular event sources.
Certain event sources of different versions can generate events of different format, so it may be that the regular expressions provided in this section are not actual. In this case, you should correct the provided regular expressions.
FireEye
The events from FireEye products require the following regular expressions:
- Events in CEF format
Field
Regular expression
URL1
filePath=([^\s]*?)\s
URL2
cs5=([^\s]*?)\s
MD5
fileHash=([^\s]*?)\s
SrcIp
src=([^\s]*?)\s
DstIp
dst=([^\s]*?)\s
- Events in CSV format
Field
Regular expression
URL1
cnchost=([^,]*?),
URL2
objurl=([^,]*?),
MD5
fileHash=([^,]*?),
SrcIp
src=([^,]*?),
DstIp
dst=([^,]*?),
Blue Coat® SG
The events from Blue Coat SG products require the following regular expressions:
- SYSLOG events
Field
Regular expression
URL
OBSERVED\s"(?:.*?)"\s(.*?)\s
URL2
http\s(.*?)\s\d+\s(.*?)\s
Websense
The events from Websense products require the following regular expressions:
- CEF events
Field
Regular expression
URL
request\=(.*?)(?:\s|$)
IP address
dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
- LEEF events
Field
Regular expression
URL
url\=(.*?)(?:\s|$)
IP address
dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
- key-value pairs
Field
Regular expression
URL
url\=(.*?)(?:\s|$)
IP address
dst_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
Squid
The events from Squid product require the following regular expressions:
Field | Regular expression |
URL |
|
McAfee Web Gateway
The events from McAfee® Web Gateway products require the following regular expressions:
- Standard events
Field
Regular expression
URL
url\=(.*?)(?:\|)
IP address
server_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\|)
- CEF events
Field
Regular expression
URL
request\=(.*?)(?:\s|$)
IP address
dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
- SYSLOG events
Field
Regular expression
URL
(?:GET|POST)\s(.*?)(?:\s)
Check Point URL Filtering
The events from Check Point URL Filtering products require the following regular expressions:
- SYSLOG events
Field
Regular expression
IP address
(?:dst)\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Juniper Networks SRX
The events from Juniper Networks SRX products require the following regular expressions:
- SYSLOG events
Field
Regular expression
IP address
(?:\sdestination-address)\="(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s
Check Point Firewall
The events from Check Point Firewall products require the following regular expressions:
- SYSLOG events
Field
Regular expression
IP address
dst\:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Palo Alto Networks
The events from Palo Alto Networks products require the following regular expressions:
- LEEF events
Field
Regular expression
IP address
dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
- SYSLOG events
Field
Regular expression
IP address
(?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
- CEF events
Field
Regular expression
IP address
dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
Fortinet FortiGate
The events from Fortinet FortiGate products require the following regular expressions:
- SYSLOG events
Field
Regular expression
IP address
(?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Cisco IPS
The events from Cisco IPS products require the following regular expressions:
Field | Regular expression |
IP address |
|
Snort
The events from Snort® product require the following regular expressions:
- UNIFIED2 events
Field
Regular expression
IP address
(?:destination.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
- CSV events
Field
Regular expression
IP address
(?:.*?,.*?,.*?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Alternatively, you can use the following regular expressions for parsing events of all types:
Field | Regular expression |
IP address |
|
Cisco IronPort
The events from Cisco IronPort® products require the following regular expressions:
- SYSLOG events
Field
Regular expression
URL
(?:GET|POST)\s(.*?)\s
IP address
(?:NONE|DIRECT|DEFAULT_PARENT)\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})