Académique Documents
Professionnel Documents
Culture Documents
LogRhythm 6.1
MPE Rule Builder Cheat Sheet
Parsing Fields and Tags
The following table provides a list of all the meta-data fields LogRhythm can parse and their associated parsing
tag(s). Also provided is the regular expression embedded as part of the tag. This regular expression can be
overridden, an explanation of how this done follows the table.
*** All Mapping and Parsing tags are lower case ***
Field
Origin Host
Impacted Host
Origin Port
Impacted Port
Origin MAC
Address
Description
The host from
which activity
originated (i.e.,
attacker)
Tag(s)
<sip> IP Address
Default Regex
(?<sipa>1??\d{1,2}|2[0-4]\d|25[0-5])\.
(?<sipb>1??\d{1,2}|2[0-4]\d|25[0-5])\.
(?<sipc>1??\d{1,2}|2[0-4]\d|25[0-5])\.
(?<sipd>1??\d{1,2}|2[0-4]\d|25[0-5])
([^\s\.]+\.?)+
(<sip>|<sname>)
<snatip> NAT IP
Address
<dip> IP Address
(?<dipa>1??\d{1,2}|2[0-4]\d|25[0-5])\.
(?<dipb>1??\d{1,2}|2[0-4]\d|25[0-5])\.
(?<dipc>1??\d{1,2}|2[0-4]\d|25[0-5])\.
(?<dipd>1??\d{1,2}|2[0-4]\d|25[0-5])
([^\s\.]+\.?)+
(<dip>|<dname>)
<dnatip> NAT IP
Address
<sport> Source Port
\d+
\d+
\d+
<smac>
(\w{2}(:|-)?){6}
\d+
Field
Description
Tag(s)
Default Regex
<dmac>
(\w{2}(:|-)?){6}
Origin Interface
<sinterface>
\w+
Impacted Interface
<dinterface>
\w+
Impacted MAC
Address
Protocol
Login
Account
Group
Domain
Object
URL
The MAC
Address which
was effected by
the activity.
The network
protocol used for
the activity (i.e.,
TCP)
The user
associated with
the activity
reported in the
log.
The user account
impacted by
activity reported
in the log.
The group or role
impacted by
activity reported
in the log.
The Windows or
DNS domain
name referenced
or impacted by
activity reported
in the log.
The resource (i.e.,
file) referenced or
impacted by
activity reported
in the log.
The URL
referenced or
impacted by
activity reported
in the log.
\w+
<login>
\w+
<account>
\w+
<group>
\w+
<domain>
\w+
<object>
\w+
<objectname>
\w+
<url>
https?://.+
Page 2 of 11
Field
Description
Vendor Message ID
The specific
vendor log/event
identifier for the
log.
The sender of an
email or called
from number for
a VOIP log.
The recipient of
an email or called
to number for a
VOIP log.
The subject of an
email.
User, system, or
application
session
System or
application
process
Tag(s)
Default Regex
<vmid>
\w+
<sender>
[^\s]+@[^\s]+
<recipient>
[^\s]+@[^\s]+
<subject>
\w+
<session>
\w+
<process>
\w+
<processid>
\d+
Severity
<severity>
\w+
Version
<version>
\w+
Command
<command>
\w+
Sender
Recipient
Subject
Session
Process
Page 3 of 11
Field
Bytes In/Out
Items In/Out
Description
Bytes
sent/received
from a device,
system, or
process
Tag(s)
Use the appropriate tag
based upon the units
represented by the log
data.
Default Regex
[0123456789\.]+
<bitsin>, <bitsout>
<bytesin>, <bytesout>
<kilobitsin>,
<kilobitsout>
<kilobytesin>,
<kilobytesout>
<megabitsin>,
<megabitsout>
<megabytein>,
<megabyteout>
<gigabitsin>,
<gigabitsout>
<gigabytein>,
<gigabyteout>
<terabitsin>,
<terabitsout>
<terabytesin>,
<terabytesout>
<petabitsin>,
<petabitsout>
<petabytesin>,
<petabytesout>
Use the following tags if [0123456789\.]+
the data represents packet
counts
<packetsin>,
<packetsout>
Use the following tags if
the data represents
anything else.
<itemsin>, <itemsout>
Duration
The duration of a
session, job,
activity, etc.
[0123456789\.]+
Page 4 of 11
Field
Description
Tag(s)
<timeend>
Default Regex
[0123456789\.]+
Size
Quantity
Amount
Rate
The size of
something
The quantity of
something
The amount of
something
The rate of
something
<days>
[0123456789\.]+
<hours>
[0123456789\.]+
<minutes>
[0123456789\.]+
<seconds>
[0123456789\.]+
<milliseconds>
[0123456789\.]+
<microseconds>
[0123456789\.]+
<nanoseconds>
[0123456789\.]+
<size>
[0123456789\.]+
<quantity>
[0123456789\.]+
<amount>
[0123456789\.]+
<rate>
[0123456789\.]+
Page 5 of 11
Mapping Tags
5 additional tags are available for identifying data in the log specifically for sub-rules. These tags do not parse
text into meta-data fields. There sole purpose is to identify portions of the log message that should be used in
the development of sub-rules.
Tag
Field Type
<tag1>
<tag2>
<tag3>
<tag4>
<tag5>
Text
Text
Text
Text
Text
Default Regex
.*
.*
.*
.*
.*
Will not properly parse the correct data out of the log message, or
Is not the optimal regex from a performance perspective
the default should be overridden. To override the default regex, the following syntax should be used.
(?<[tagname]>[regex])
For example, suppose your regex needs to match file names with a specific extension such as the sample log
message below:
User joe.blow opened AnnualReport.pdf
If the base-rule was written as:
User <login> opened <object>
The value parsed for login would joe and the value for object would be AnnualReport. This is due to the fact
that a period is not a word character and the default regex of \w+ would only match up to the period. Instead,
the default regexs should be overridden and the base-rule should be:
User (?<login>\w+\.?\w*) opened (?<object>\w+\.pdf)
Now, the base-rule will parse anything for login starting with a word character that optionally contains a period
followed be additional word characters.
Match Characters
Notation
Copyright 2010 LogRhythm, Inc
Characters Matched
Example
Page 6 of 11
\d
\D
\w
\W
\s
\S
.
[]
[^ ]
Repetition Characters
Notation
{n}
{n, }
{n,m}
?
+
*
Characters Matched
Matches n of the previous item
Matches n or more of the previous item
Matches at least n and at most m of the
previous item if n is 0 that makes the
character optional ({,9})
Match the previous item 0 or 1 times
Match the previous item 1 or more times
Match the previous item 0 or more times
Example
\w{4} matches AAAA but not A
\w{4, } matches AAAAAA but not A
A{2,3} matches AA and AAA but not A or
AAAA
A? matches A or nothing but not AA
A+ matches A, AA, AAA but not nothing
A* matches nothing, A or any number of As
Positional Characters
Notation
^
$
\A
\Z
\b
Description
The following pattern must be at the start of the string, or if its a multi-line string, at the
beginning of a line. For multi-line text (string containing a carriage return) the multi-line
flag option needs to be set.
The preceding pattern must be at the end of the string, or if it is a multi-line string then at
the end of a line.
The preceding pattern must be at the start of the string; the multi-line flag is ignored
The preceding pattern must be at the end of the string; the multi-line pattern is ignored
The matches a word boundary, essentially the point between a word character (a-z, A-Z,
0-9, _) and a non-word character. The start of a word.
This matches a position that is not a word boundary; not the start of a word.
\B
Grouping
Notation
()?
()+
Characters Matched
Example
Matches the pattern inside the brackets 0 (Error)? Matches Error or nothing
or 1 times
Matches the pattern inside the brackets 1 (\w+\s)+ Matches AA AA
Page 7 of 11
()*
or more times
Matches the pattern inside the brackets 0 (\w+\s)* Matches nothing or AA AA
or more times
Page 8 of 11
Reserved Characters
The regex engine used by LogRhythm has 12 reserved characters that have special meaning. If any of these
characters need to be used as a literal character they will need to be escaped using the backslash (\) character,
otherwise known as the escape character. The reserved characters are:
The opening square brackets [
The opening round bracket (
The closing round bracket )
The backslash \
The caret ^
The dollar sign $
The period .
The vertical bar or pipe symbol |
The question mark ?
The asterisk or star *
The plus sign +
The opening squiggly bracket {
The closing squiggly bracket }
As a simple example of how to escape reserved characters refer to the following regex which is meant to match
any IP address:
\d+\.\d+\.\d+\.\d+
As you can see each of the periods of the IP address are escaped meaning the regex engine will look for the
actual period (.) character in the string instead of looking for any character, which is the reserved periods special
meaning.
Page 9 of 11
Recommended Pattern
^.*?
Description
This is the best way to start any regex if you want to
match any characters until a specific set of characters
appear. The ^ tells the regex engine to start from the
beginning. The ? tells the engine to perform a nongreedy match.
Example:
^.*?MsgID=1590.*?user (?<login>\w+\.?\w*)
Non-greedy Match
.*?
Overloading Map
Tags
(?<[map tag]>[regex])
Preceding and
trailing values.
N/A
Look Aheads
(?=[regex])[regex]
(?![regex])[regex]
Page 10 of 11
When the log message the rule will match contains a vendor message ID such as an event ID in Windows
Event Logs, it is good to include the ID in the name of the rule. This makes searching for the rule easier and
also makes the rule more descriptive of the log it matches.
If the rule matches a log from a logging system that generates logs for a wide variety of services, such as the
Windows Application Event Log, the service that generated the log message should be included in the rule
name.
All rule names should contain a brief description of the action described by the log.
o Ex. EVID 528 : Failed Authentication : Bad Username or Password
Common Events should be generically named so that they can be re-used for a wide variety of devices. For
example, if a common event is being created for a log message that describes a successful connection to an
FTP server, the common event should be named so that the FTP server type is irrelevant.
o Good: FTP Connection Succeeded
o Bad: Gene6 FTP Connection Succeeded
Common Event names should always have the first letter of each word capitalized. This is to make the
viewing of Common Events in analysis tools more consistent.
Page 11 of 11