The parser requires a little improvement, but in general, it processes 90% of incoming events.
##################### # ### TESTSOFT.NET ### # ############################ ### ArcSight Parser For Apache and ModSecurity Stock Logformat v1.0 ### regex=(httpd)(?:\\[.*\\])?:\\s(.*) token.count=2 token[0].name=type token[0].type=String token[1].name=body token[1].type=String event.deviceVendor=__stringConstant("apache") event.deviceProduct=__stringConstant("webserver") event.sourceUserPrivileges=__stringConstant("apache") event.deviceProcessName=__stringConstant("apache") event.flexString2=body event.flexString2Label=__stringConstant("raw") event.name=type event.message=body submessage.messageid.token=type submessage.token=body submessage.count=1 submessage[0].messageid=httpd submessage[0].pattern.count=3 ### Example ### 1.1.1.1 - - [03/Sep/2020:14:43:38 +0000] "GET /000000000000 HTTP/1.1" 404 40460 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0" submessage[0].pattern[0].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\]\\s+\\"(\\w+)\\s+(.*)\\s+HTTP\\/\\d.\\d\\"\\s+(\\d+)\\s+(\\d+)\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".* submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9 submessage[0].pattern[0].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.requestMethod,event.requestUrl,event.deviceCustomString2,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4 submessage[0].pattern[0].extramappings=event.deviceEventClassId\=__concatenate($4,":",$6)|event.message\=__concatenate($6," ",$4," ",$5)|event.deviceSeverity=$6|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent") #$1 - event.attackerAddress - $remote_addr #$2 - event.targetUserName - $remote_user #$3 - event.deviceCustomString1 - $time_local #$4 - event.requestMethod - #$5 - event.requestUrl - #$6 - event.deviceCustomString2 - $status #$7 - event.bytesOut - $body_bytes_sent #$8 - event.deviceCustomString3 - $http_referer #$9 - event.deviceCustomString4 - $http_user_agent ### Example ### 1.1.1.1 - - [03/Sep/2020:14:56:25 +0000] "-" 408 559 "-" "-" submessage[0].pattern[1].regex=(\\d+.\\d+.\\d+.\\d+)\\s+-\\s+(.*)\\s+\\[(.*)\\]\\s+\\"(.*)"\\s+(\\d+)\\s+(\\d+)\\s+\\"([^"]+)\\"\\s+\\"([^"]+)\\".* submessage[0].pattern[1].mappings=$1|$2|$3|$4|$5|$6|$7|$8 submessage[0].pattern[1].fields=event.attackerAddress,event.targetUserName,event.deviceCustomString1,event.requestUrl,event.deviceCustomString2,event.bytesOut,event.deviceCustomString3,event.deviceCustomString4 submessage[0].pattern[1].extramappings=event.deviceEventClassId\=__concatenate("-",":",$5)|event.message\=__concatenate($5," ","-"," ",$4)|event.deviceSeverity=$5|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString2Label=__stringConstant("status")|event.deviceCustomString3Label=__stringConstant("http_referer")|event.deviceCustomString4Label=__stringConstant("http_user_agent") ######### ModSecurity Apache Mod ######### submessage[0].pattern[2].regex=.*\\[(.*)]\\s+\\[:error\\].*\\[client\\s+(\\d+.\\d+.\\d+.\\d+)\\:(\\d+)\\].*ModSecurity:\\s+((Access\\s+denied|Warning)?.*)\\[file\\s+\\"([^"]+)\\"\\](?:.*line\\s+\\"([^"]+)\\"\\])?(?:.*id\\s+\\"([^"]+)\\"\\])?.*msg\\s+\\"([^"]+)\\"\\](?:.*data\\s+\\"([^"]+)\\"\\])?(?:.*severity\\s+\\"([^"]+)\\"\\])?(?:.*tag\\s+\\"OWASP_CRS\\/([^"]+)\\"\\])?(?:.*uri\\s+\\"([^"]+)\\"\\])?(?:.*unique_id\\s+\\"([^"]+)\\"\\])?(?:.*referer:\\s+([^\\s]+))?.* submessage[0].pattern[2].mappings=$1|$2|$3|$4|$5|$6|$7|$8|$9|$10|$11|$12|$13|$14|$15 submessage[0].pattern[2].fields=event.deviceCustomString1,event.attackerAddress,event.attackerPort,event.message,event.deviceAction,event.filePath,event.flexNumber1,event.flexNumber2,event.name,event.flexString1,event.deviceSeverity,event.deviceCustomString5,event.requestUrl,event.externalId,event.deviceCustomString3 submessage[0].pattern[2].extramappings=event.deviceProduct=__stringConstant("waf")|event.message\=__concatenate($4,$10)|event.deviceSeverity=__toLowerCase($11)|event.deviceProcessName=__stringConstant("modsecurity")|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString3Label=__stringConstant("referer")|event.deviceCustomString5Label=__stringConstant("owasp_crs")|event.flexNumber1Label=__stringConstant("rule_line")|event.flexNumber2Label=__stringConstant("rule_id")|event.flexString1Label=__stringConstant("data") #$1 - event.deviceCustomString1 - time_local #$2 - event.attackerAddress #$3 - event.attackerPort #$4 - event.message #$5 - event.deviceAction #$6 - event.filePath #$7 - event.flexNumber1 - line #$8 - event.flexNumber2 - id #$9 - event.name #$10 - event.flexString1 - data #$11 - event.deviceSeverity #$12 - event.deviceCustomString5 - owasp_crs #$13 - event.requestUrl #$14 - event.externalId - unique_id #$15 - event.deviceCustomString3 - referer ##### TMP FOR DEBUG ##### #submessage[1].pattern.count=1 #submessage[1].pattern[0].regex=(.*) #submessage[1].pattern[0].fields=event.message #submessage[1].pattern[0].extramappings=event.reason=__stringConstant("unparsed apache")