From scastellano at quadrantsec.com Mon Sep 18 19:43:41 2017 From: scastellano at quadrantsec.com (Sam Castellano) Date: Mon, 18 Sep 2017 13:43:41 -0400 (EDT) Subject: [Lognorm] Syntax questions Message-ID: <1908624793.329435.1505756621133.JavaMail.zimbra@quadrantsec.com> Good afternoon, I am having an issue parsing my log that has backslashes "\" in it. The rules I am writing are getting stuck and telling me the unparsed portion starts with the "\". Also the originial log has 1 "\" but the returned parsed data shows two "\" as such "\ \". Also, I am trying to work with the string-to parameter and am having trouble. I was hoping you could show me a quick and easy example of a log and rule to help me comprehend it. Best regards- Sam Castellano Security Analyst Quadrant Information Security O: (904)296-9100 x100 T: (800) 538-9357 x100 E: soc at quadrantsec.com Learn more about our managed SIEM [ https://quadrantsec.com/SaganMSSP | people + product ] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2132 bytes Desc: S/MIME Cryptographic Signature URL: