pC_elkciscowsawebactivity.md

Parser Content

{
Name = elk-cisco-wsa-web-activity
  Vendor = Cisco
  Product = Secure Web Appliance
  Lms = Direct
  DataType = "web-activity"
  IsHVF = true
  TimeFormat = "epoch_sec"
  Conditions = [ """accesslog_ELK:""" ]
  Fields = [
    """({time}\d{10})\.\d{3}""",
    """exabeam_host=([^=]{1,2000}@\s{0,100})?({host}[^\s]{1,2000})""",
    """\d{10}\.\d{3}\s{1,100}\S+\s(?:-|({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))""",
    """Info:\s{1,100}([^\s]{1,2000}\s){3}(?:-|({proxy_action}.+?)(\/(?:-|({result_code}\d{1,100})))?)\s""",
    """Info:\s{1,100}([^\s]{1,2000}\s){5}(?:-|({method}[^\s]{1,2000}))""",
    """\d{10}\.\d{3}\s{1,100}([^\s]{1,2000}\s){5}(?:-|({full_url}(({protocol}[^:]{1,2000}):\/+)?[^\s:\/]{1,2000}(:({dest_port}\d{1,100}))?\/(?:-|({uri_path}[^?\s]{1,2000}))?({uri_query}\?[^\s]{1,2000})?))""",
    """Info:\s{1,100}([^\s]{1,2000}\s){7}"{0,20}(?:-|(({domain}[^\\]{1,2000})\\+)?({user}[^@"\s]{1,2000}))""",
    """\d{10}\.\d{3}\s{1,100}([^\s]{1,2000}\s){5}(\w+:\/+)?({web_domain}(?:({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|[^\s\/:]{1,2000}))""",
    """Info:\s{1,100}([^\s]{1,2000}\s){10}(?:-|({action}[^\s-]{1,2000}))""",
    """Info:\s{1,100}([^\s]{1,2000}\s){9}(?:["-]{1,2000}|({mime}[^\s]{1,2000}))""",
    """Info:\s{1,100}([^\s]{1,2000}\s){10}[^\s]{1,2000}\s{1,100}<("{1,100})?(?:-|nc|({category}[^,>"]{1,2000}))""",
    """\Wdst\s{0,100}({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",
    """\WdstPort\s{0,100}({dest_port}\d{1,100})""",
    """\Wuserag\s{0,100}"{0,20}(?:[\s-]|({user_agent}[^"]{1,2000}))""",
  ]


}