Hello everyone,
I am currently in the process of normalizing and parsing logs from the manufacturer trend micro email security.
Maybe for you it is obvious but in my case as I am not an expert I must mention that I am working on the .conf file for this parse to be successful but I have had problems to complete this process.
As you can see not all the fields have the field - value structure although this part has not been a problem, the problem I have is that the msg and reason fields have blank spaces and if I use the kv filter in the result it only takes the value up to the first space it finds and obviously I need the complete value.
I have tried several methods but it has not been possible to parse these fields. I appreciate your help or suggestion
for example the msg field only takes "hello" and I need all the complete value ""
Log sample
CEF:0|Trend Micro|TMES|1.0.0.0|500101|CTP_DETECTION|2|rt=2021-02-18 04:05:32 cs2Label=timeOfClick cs2=2021-02-03 23:00:00
request=http://example.com act=blocked msg=hello this is a mail test cs1Label=messageId cs1=<202102181642138223747@trend.com>
suser=user1@example1.com duser=user2@example2.com```