Following are some logs from ASA, I need to capture following group for IP address, seq number (3327 in this case) and user name (abcd_user.name).
I have tried following regex but the username is capturing with brackets.
https://regex101.com/r/NbyYyp/1
Feb 10 13:22:55 90.23.222.10 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.34.27.20/0 gaddr 10.23.24.2/33327 laddr 10.23.24.2/33327
Feb 10 13:22:51 90.27.29.8 : %ASA-6-302020: Built inbound ICMP connection for faddr 90.23.40.16/1(LOCAL\abcd_user.name) gaddr 172.20.220.27/0 laddr 172.20.20.7/0 (abcd_user.name)
Feb 10 13:22:55 90.22.22.15 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.34.27.2/0 gaddr 10.34.21.29/33327 laddr 10.34.21.29/33327
Your help is much appreciated.
You may use
302020: Built inbound.*faddr\s+([^\/]*)\/\d+(.*(gaddr\s+([^\/]+))\/(\d+) laddr([^\/]+)\/\d+)(?:\s*\(([^()]*)\))?
See the regex demo
The last (.*) capturing group just captured all text to the end of the line. I replaced it with (?:\s*\(([^()]*)\))?, an optional non-capturing group that matches 1 or 0 occurrences of
\s* - 0+ whitespaces\( - a ( char([^()]*) - Capturing group: any 0+ chars other than ( and )\) - a ) char.