Troubleshooting flex config datasource


Article ID: 212883


Updated On:


CASB Security Premium


Logs are failing to process when using the following flex config.

{"datetime_format":"MMM dd yyyy HH:mm:ss z","dst_rex":"dst=(.?)[ $]","start_at_column":"50","comments_startwith":"#","bytes_rex":"bytes=(.?)[ $]","logformat":"rex","src_rex":"src=(.*?)[ $]","datetime_rex":"(?:|datetime=)(.:.?)[ $]"}


Incorrect flex config


There are a few problems with the flex config being used.

1) CASB does not support z in the date format.  z is for the Timezone, such as GMT.  Remove z from the Flex Config.

2) CASB does not support "start_at_column".  This can be removed from the flex config even if there is initial information that can be skipped at the beginning of each line in the log

3) Datetime entry has incorrect syntax, "datetime_rex":"(?:|datetime=)(.:.?)[ $]".  It should be "datetime_rex":"(?:|datetime=)(.*:.*?)[ $]"

4) sent and rcvd are required fields that are missing. datetime and bytes are also required fields.  

The following flex config is the corrected flex config that should be used.

{"datetime_format":"MMM dd yyyy HH:mm:ss","dst_rex":"dst=(.*?)[ $]","comments_startwith":"#","bytes_rex":"bytes=(.*?)[ $]","sent_rex":"sent=(.*?)[ $]","logformat":"rex","src_rex":"src=(.*?)[ $]","datetime_rex":"(?:datetime=)(.*:.*?)[ $]","rcvd_rex":"rcvd=(.*?)[ $]"}