我正在尝试解析防火墙日志行,但是日志的格式不同。
然后我正在尝试使用如下可选字段:
^.*\[.*(?:app_category:"%{ENCAPSULATED_WORD:app_category}")?.*\];$
ENCAPSULATED_WORD为:
ENCAPSULATED_WORD (\w{1,}| |\/)*
但是无论我做了什么更改,我都将app_category字段设置为null。
这是日志行:
2018-12-14T13:12:25Z Firewall-Logs Firewall - [action:"Allow"; flags:"XXXXX"; ifdir:"ifdir1"; ifname:"ifname2"; loguid:"{#########}"; origin:"127.0.0.1"; time:"1544793145"; version:"1"; __policy_id_tag:"product=fW"; app_category:"Business / Economy"; app_desc:"Some app"; app_id:"60517565"; app_properties:"Business / Economy, SSL Protocol, Very Low Risk, Business Applications"; app_risk:"1"; app_rule_id:"#id1"; app_sig_id:"60517565:1"; appi_name:"Someapp"; dst:"127.0.0.1"; matched_category:"Business / Economy"; origin_sic_name:"Firewall"; product:"Firewall Control"; proto:"6"; proxy_src_ip:"127.0.0.1"; s_port:"54955"; service:"80"; snid:"8bca47a7"; src:"127.0.0.1"; src_machine_name:"machine.domain.com"; ];