Multiline regex – ArcSight User Discussions

Hi

I have a block of 3-4 events that need to be processed as one common event.

As advised, I used multiline.starts.regex and multiline.ends.regex

The problem is that each of the events that need to be combined and processed as one starts with a timestamp and because of this I can’t use multiline.starts.regex.

Using only multiline.ends.regex doesn’t help either.

The connector always treats each timestamp as a new message

Example events:

Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640895] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640895] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640895] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640895] …

Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640896] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640896] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640896] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640896] …

Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640897] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640897] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640897] …
Jul 22 08:10:28 04-IBZ-VPNGTW-08 desktop-users-srv[2640897] …

Configure file:

multiline.starts.regex=\\w{3} \\d{2} \\d{2}:\\d{2}:\\d{2}[\\s\\S]*
multiline.ends.regex=->\\s.*
regex=(\\w{3} \\d{2} \\d{2}:\\d{2}:\\d{2})\\s(\\S+)\\s(\\S+\\[\\d+\\]):\\s(\\d.+):(\\d+)[\\s\\S]*?CN=([^,]+),\\sO=([^,]+),\\sOU=([^,]+),\\stitle=([^,]+),\\sL=([^,]+),\\sST=([^,]+),\\sstreet=([^,]+(?:,\\s[^,]+)?)(?:,\\sC=[^,]+)?[\\s\\S]*?Learn:\\s([^\\s]+)[\\s\\S]*

Maybe someone knows how to solve this problem?

Thanks in advance.

Bohdan