well I am rather new here so I am still trying to figure things out.
I am trying to parse for example SRC and DST from this message below.
But only the second SRC, if it is there. Sometimes the  block at the end is missing, so then I want to parse the first SRC in the message.
Is that possible?
2019-02-04T21:06:27+01:00 hostname kernel: [LAN_IN]IN=eth1.30 OUT=eth1 MAC=xxxxx SRC=192.168.30.12 DST=192.168.1.30 LEN=56 TOS=0x00 PREC=0x00 TTL=63 ID=22245 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.30 DST=192.168.30.12 LEN=425 TOS=0x18 PREC=0xA0 TTL=63 ID=30462 DF PROTO=UDP SPT=55777 DPT=63500 LEN=405 ]
Please sign in to leave a comment.