I have reading logs from a log file which is recording multiline type. While reading QRadar assembling two record and take it as a one log.
I have describe start and end pattern of the log line while adding the log source to QRadar as:
Start Pattern RegEx: ^(\d{7})\,
End Pattern RegEx: (\d{2}:\d{2}:\d{2})$
I should have read the logs like :
1158896,someuser,Inner User,Minor,10.6.130.11,2019-09-29 03:01:15,Security Management,Log in to the server,Network Management,Succeeded,User name: someuser,2019-09-29 03:01:15
1158897,someuser,Inner User,Minor,10.6.130.11,2019-09-29 03:03:16,Security Management,Log out the server,Network Management,Succeeded,"User name: someuserOnline duration: 0 day(s) 0 hour(s) 2 minute(s) 1 second(s)",2019-09-29 03:03:16
But I receive some of them assembled, like:
1158896,someuser,Inner User,Minor,10.6.130.11,2019-09-29 03:01:15,Security Management,Log in to the server,Network Management,Succeeded,User name: someuser,2019-09-29 03:01:151158897,someuser,Inner User,Minor,10.6.130.11,2019-09-29 03:03:16,Security Management,Log out the server,Network Management,Succeeded,"User name: someuserOnline duration: 0 day(s) 0 hour(s) 2 minute(s) 1 second(s)",2019-09-29 03:03:16
Here are the regex101.com records of my start and end pattern of RegEx.
https://regex101.com/r/2IfMR7/3
https://regex101.com/r/2IfMR7/4
As you see, it works normally in regex101.com Why QRadar is reading them as one?
You (or qradar) might be using a greedy quantifier coupled with a multiline capture character.
If you're doing something like this: ^(\d{7})\,(?:\n|.)*(\d{2}:\d{2}:\d{2})$ where the central group is (?:\n|.)* or any similar phrase matching across multiple lines, the greedy operator * means it'll try to match from the very first 7 digits to the very last timestamp on the entire log page, ignoring your start and end anchors. Try using *? instead; the ? makes it non-greedy, so it'll stop at the first timestamp.
Compare: greedy vs non-greedy.