need help with regex and vrl

[StefanSa]

Hi there,
Hi, i'm trying to extract the src and dst fields from a sonicwall firewall from ssyslog. What i do not want to succeed.
Can someone please shed some light on what i am doing wrong.

vector.toml

[api]
enabled = true

[sources.sonic_syslog]
type = "socket"
address = "0.0.0.0:41898"
mode = "udp"

[transforms.remap_grok_sonicwall_fw]
type = "remap"
inputs = ["sonic_syslog"]
source = '''
. = parse_grok!(.message, "%{SYSLOG5424PRI}%{GREEDYDATA:message}")
'''

[transforms.parse_raw_sonicwall]
type = "remap"
inputs = ["remap_grok_sonicwall_fw"]
source = '''
.message = to_string(.message) ?? ""
.event.original = .message

# Versuch: generisch alle Felder parsen (falls möglich)
.parsed, err = parse_key_value(.message, field_delimiter: " ", key_value_delimiter: "=")

# Falls kein valides Parsing, dann sicherstellen, dass wir mit leerem Objekt weiterarbeiten
if err != null || !exists(.parsed) {
  .parsed = {}  # fallback auf leeres Objekt
}
'''

[transforms.extract_src_dst]
type = "remap"
inputs = ["parse_raw_sonicwall"]
source = '''
.log.parsed_src = .parsed.src
.log.parsed_dst = .parsed.dst

.src_parts = match!(.parsed.src, r'(?P<src_ip>\d+\.\d+\.\d+\.\d+):(?P<src_port>\d+)(?::(?P<src_if>[^:\s]+))?(?::(?P<src_fqdn>[^:\s]+))?')
if is_object(.src_parts) {
  .source.ip = .src_parts.src_ip
  .source.port = to_int(.src_parts.src_port)
  if exists(.src_parts.src_if) { .source.interface = .src_parts.src_if }
  if exists(.src_parts.src_fqdn) { .source.domain = .src_parts.src_fqdn }
}

.dst_parts = match!(.parsed.dst, r'(?P<dst_ip>\d+\.\d+\.\d+\.\d+):(?P<dst_port>\d+)(?::(?P<dst_if>[^:\s]+))?(?::(?P<dst_fqdn>[^:\s]+))?')
if is_object(.dst_parts) {
  .destination.ip = .dst_parts.dst_ip
  .destination.port = to_int(.dst_parts.dst_port)
  if exists(.dst_parts.dst_if) { .destination.interface = .dst_parts.dst_if }
  if exists(.dst_parts.dst_fqdn) { .destination.domain = .dst_parts.dst_fqdn }
}

'''


[transforms.normalize_event_fields]
type = "remap"
inputs = ["extract_src_dst"]
source = '''
.@timestamp = now()
.event.ingested = now()
.event.module = "sonicwall"
.event.dataset = "sonicwall.firewall"

if contains(string!(.message), "deny") {
  .event.outcome = "denied"
  .event.action = "blocked"
  .event.category = ["network"]
  .event.type = ["denied"]
} else if contains(string!(.message), "allow") {
  .event.outcome = "success"
  .event.action = "allowed"
  .event.category = ["network"]
  .event.type = ["connection"]
} else {
  .event.outcome = "unknown"
  .event.action = "observed"
  .event.category = ["network"]
  .event.type = ["info"]
}
'''

[transforms.cleanup_sonicwall]
type = "remap"
inputs = ["normalize_event_fields"]
source = '''
. = compact(., nullish: true, recursive: true)
'''

[sinks.console_out]
type = "console"
inputs = ["cleanup_sonicwall"]
target = "stdout"
encoding.codec = "json"

example logfile:

id=test sn=11 time=\"2025-04-22 12:23:42 UTC\" fw=192.168.5.2 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=49169 appName='General DNS' n=110850326 usr=\"Unknown (SSO failed)\" src=192.168.0.2:54553:X0:STGlocal dst=172.17.34.11:53:X0 proto=udp/dns sent=68 spkt=1 dpi=0 fw_action=\"NA\"

output vector:

{
  "@timestamp": "2025-04-22T12:23:42.135734784Z",
  "dst_parts": true,
  "event": {
    "action": "observed",
    "category": [
      "network"
    ],
    "dataset": "sonicwall.firewall",
    "ingested": "2025-04-22T12:23:42.135735573Z",
    "module": "sonicwall",
    "original": "  id=test sn=11 time=\"2025-04-22 12:23:42 UTC\" fw=192.168.5.2 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=49169 appName='General DNS' n=110850326 usr=\"Unknown (SSO failed)\" src=192.168.0.2:54553:X0:STGlocal dst=172.17.34.11:53:X0 proto=udp/dns sent=68 spkt=1 dpi=0 fw_action=\"NA\"",
    "outcome": "unknown",
    "type": [
      "info"
    ]
  },
  "log": {
    "parsed_dst": "172.17.34.11:53:X0",
    "parsed_src": "192.168.0.2:54553:X0:STGlocal"
  },
  "message": "  id=test sn=11 time=\"2025-04-22 12:23:42 UTC\" fw=192.168.5.2 pri=6 c=1024 m=537 msg=\"Connection Closed\" app=49169 appName='General DNS' n=110850326 usr=\"Unknown (SSO failed)\" src=192.168.0.2:54553:X0:STGlocal dst=172.17.34.11:53:X0 proto=udp/dns sent=68 spkt=1 dpi=0 fw_action=\"NA\"",
  "parsed": {
    "app": "49169",
    "appName": "General DNS",
    "c": "1024",
    "dpi": "0",
    "dst": "172.17.34.11:53:X0",
    "fw": "192.168.5.2",
    "fw_action": "NA",
    "id": "test",
    "m": "537",
    "msg": "Connection Closed",
    "n": "110850326",
    "pri": "6",
    "proto": "udp/dns",
    "sent": "68",
    "sn": "11",
    "spkt": "1",
    "src": "192.168.0.2:54553:X0:STGlocal",
    "time": "2025-04-22 12:23:42 UTC",
    "usr": "Unknown (SSO failed)"
  },
  "src_parts": true,
  "syslog5424_pri": "134"
}

The regex itself was successfully tested here:
https://regex101.com/

Thanx for any help here
Stefan

[pront]

Hey @StefanSa,

Here's a small config to demonstrate how to extract only the source IP:

[api]
enabled = true

[sources.sonic_syslog]
type = "socket"
address = "0.0.0.0:41898"
mode = "udp"

[transforms.remap_grok_sonicwall_fw]
type = "remap"
inputs = ["sonic_syslog"]
source = '''
. = parse_grok!(.message, "%{SYSLOG5424PRI}%{GREEDYDATA:message}")
'''

[transforms.parse_raw_sonicwall]
type = "remap"
inputs = ["remap_grok_sonicwall_fw"]
source = '''
.message = to_string(.message) ?? ""
.event.original = .message

# Versuch: generisch alle Felder parsen (falls möglich)
.parsed, err = parse_key_value(.message, field_delimiter: " ", key_value_delimiter: "=")

src = .parsed.src
src_ip = split!(src, ":")[0]
. = src_ip
'''

[sinks.console_out]
type = "console"
inputs = ["parse_raw_sonicwall"]
target = "stdout"
encoding.codec = "json"
encoding.json.pretty = true

Send event:

nc -u 127.0.0.1 41898 <<< 'id=test sn=11 time="2025-04-22 12:23:42 UTC" fw=192.168.5.2 pri=6 c=1024 m=537 msg="Connection Closed" app=49169 appName="General DNS" n=110850326 usr="Unknown (SSO failed)" src=192.168.0.2:54553:X0:STGlocal dst=172.17.34.11:53:X0 proto=udp/dns sent=68 spkt=1 dpi=0 fw_action="NA"'

Output:

{
  "message": "192.168.0.2"
}