Hey folks, I looked through the KB and other sites but have not found anything that I can use yet. We have a SEIM product that can read in security logs from all of our products and bring them into a single console. The only one we are having problems with is the Cisco CSA log. The log file itself is a CSV which is not a problem, but the data fields can be either null or double-quoted text. An example of the data we see could be something like this:
12345,Device A,Alert,1234,Attempted access,Low priority, 45, 001
12345,Device A,Alert,1234 ,No definition, check log file,Medium priority, 55, 002
12345,Device C,Info,,Admin login,System Information, external interface,,
Notice the trailing nulls and the commas in the text fields. Our SEIM is messing the fields up when it finds the commas in the text, otherwise it works fine. I can't find a regex to handle both null fields and commas in the text. I have tried something like
Which will handle the nulls, but not the commas in text. I have seen posts that will work with script engines, but this is a different type of interface. Each parens is a static field that maps to the SEIM in one way or another. Any help with this is very much appreciated.