MISC.‎ > ‎

IPSec Regex Pattern

With this RegEx Pattern you can collect IPSec Events and parse them into Groups.
This Pattern can collect IPSec Security Event ID's: 541, 542, 545, 547
And will Extract from them The following data into Mach Groups:
  • IKE security association
  • IKE Mode (Quick Mode / Main Mode)
  • Kerberos based Identity / Certificate based / Pre-Shared Key
  • Source IP Address
  • Source IP Address Mask
  • Destination IP Address
  • Destination IP Address Mask
  • Protocol
  • Source Port
  • Destination Port
  • ESP Algorithm Parameter
  • HMAC Algorithm Parameter
  • AH Algorithm Parameter
  • InboundSpi
  • OutboundSpi
  • IKE Local Addr
  • IKE Peer Addr
  • Failure Point (Only in 547 Events)
  • Failure Reason (Only in 547 Events)
IKE security association[ -:](?<IKEAssoc>.*)|
\sMode[ -:].*\r\n(?<IKEMode>.*)|
Kerberos based Identity[ -:](?<KerbID>.*)|
Peer SHA Thumbprint[ -:](?<CertID>.*)|
Preshared[ -:](?<PreSharedID>.*)|
Source IP Address[ -:](?<SourceIP>.*)
Source IP Address Mask[ -:](?<SourceIPMask>.*)
Destination IP Address[ -:](?<DestIP>.*)
Destination IP Address Mask[ -:](?<DestIPMask>.*)
Protocol[ -:](?<Proto>.*)
Source Port[ -:](?<SourcePort>.*)
Destination Port[ -:](?<DestPort>.*)|
ESP Algorithm[ -:](?<ESPAlg>.*)
HMAC Algorithm[ -:](?<HMACAlg>.*)
AH Algorithm[ -:](?<AHAlg>.*)|
InboundSpi[ -:](?<InSPI>.*)
OutboundSpi[ -:](?<OutSPI>.*)|
IKE Local Addr[ -:](?<LocalAddr>.*)
IKE Peer Addr[ -:](?<PeerAddr>.*)
\s*Failure Point[ -:].*\r\n(?<FailurePoint>.*)
\s*Failure Reason[ -:].*\r\n(?<FailureReason>.*)