Log source extensions
An extension document can extend or modify how the elements of a particular log source are parsed. You can use the extension document to correct a parsing issue or override the default parsing for an event from an existing DSM.
An extension document can also provide event support when a DSM does not exist to parse events for an appliance or security device in your network.
An extension document is an Extensible Markup Language (XML) formatted document that you can create or edit one by using any common text, code or markup editor. You can create multiple extension documents but a log source can have only one applied to it.
The XML format requires that all regular expression (regex) patterns be contained in character data (CDATA) sections to prevent the special characters that are required by regular expressions from interfering with the markup format. For example, the following code shows the regex for finding protocols:
<pattern id="ProtocolPattern" case-insensitive="true" xmlns=""> <![CDATA[(TCP|UDP|ICMP|GRE)]]></pattern>
(TCP|UDP|ICMP|GRE)
is the regular expression pattern.
The log sources extension configuration consists of the following sections:
- Pattern
- Regular expressions patterns that you associate with a particular field name. Patterns are referenced multiple times within the log source extension file.
- Match groups
- An entity within a match group that is parsed, for example, EventName, and is paired with the appropriate pattern and group for parsing. Any number of match groups can appear in the extension document.