Pre-IETF Syslog log source question

Hello, our Web Application Firewall is sending events in pre-IETF syslog format. Here is an example:

Jul 7 13:53:41 type = waf,attack_type = Other Application Activity,HTTP Parser Attack,date_time = 2017-07-07 13:53:41,dest_ip = x.x.x.x,dest_port = 443,geo_location = CN,http_class_name = /Common/xxxxxxxx-abc.company.com,ip_client = x.x.x.x,method = GET,policy_apply_date = 2017-05-30 20:35:19,policy_name = abc.company.com,protocol = HTTPS,query_string = ,request_status = blocked,response_code = 0,severity = Error,src_port = 45298,support_id = 2625226797970795006,uri = /,username = N/A,violations = HTTP protocol compliance failed,Access from disallowed Geolocation,web_application_name = abc.company.com,x_forwarded_for_header_value = x.x.x.x, request = HOST: x.x.x.xrnUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0rnAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rnAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3rnAccept-Encoding: deflaternX-Cnection: closernX-Forwarded-For: x.x.x.xrnVia: 1.1 dca1-bit2rnrn

Is there any way to parse this? Can I use type = waf as the log source identifier?

TIA

Related:

Leave a Reply