You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "James Sirota (JIRA)" <ji...@apache.org> on 2016/06/02 05:31:59 UTC

[jira] [Updated] (METRON-176) Create Cisco-ACS parser

     [ https://issues.apache.org/jira/browse/METRON-176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Sirota updated METRON-176:
--------------------------------
    Labels: ParserExtension  (was: )

> Create Cisco-ACS parser
> -----------------------
>
>                 Key: METRON-176
>                 URL: https://issues.apache.org/jira/browse/METRON-176
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Deeptaanshu Kumar
>              Labels: ParserExtension
>
> I will be creating a parser to handle Cisco-ACS logs.
> Here are is a sample log:
> <181>May 18 23:12:07 MDCNMSACS002 CSCOacs_Passed_Authentications 0093197809 2 0 2016-05-18 23:12:07.001 -04:00 1214019921 5202 NOTICE Device-Administration: Command Authorization succeeded, ACSVersion=acs-5.8.0.32-B.442.x86_64, ConfigVersionId=2097, Device IP Address=10.0.0.0, DestinationIPAddress=10.0.0.0, DestinationPort=49, UserName=hpna, CmdSet=[ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unrestricted, RequestLatency=5, Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=hpna, Port=tty2, Remote-Address=10.0.0.0, Authen-Method=None, Service-Argument=shell, AcsSessionID=MDCNMSACS002/242802909/91519025, AuthenticationIdentityS    tore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=TACACS, SelectedCommandSet=Unrestricted, IdentityGroup=IdentityGroup:All Groups:HPNA-Device-Interaction, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22037 , Step=15044 ,
> Here is what the data will look after parsing:
> sourcetype: cisco_acs
> priority: 181
> timestamp: May 19th 2016 03:12:07 UTC
> hostname: MDCNMSACS002
> category: Passed_Authentications
> message_id: 0093197809
> total_segments: 2
> segment_number: 0
> event_timestamp: May 19th, 2016 03:12:07 UTC
> sequence_number: 1214019921
> message_code: 5202
> severity: NOTICE
> message_class: Device-Administration
> message_text: Command Authorization succeeded
> ACSversion: acs-5.8.0.32-B.442.x86_64
> ConfigVersionId: 2097
> device_ip_address: 10.0.0.0
> ip_dst_addr: 10.0.0.0
> ip_dst_port: 49
> username: hpng
> CmdSet: [ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ]
> ACS_Protocol: Tacacs
> MatchedCommandSet: Unrestricted
> RequestLatency: 5
> Type: Authorization
> Privilege-Level: 15
> Authen-Type: ASCII
> Service: None
> ACS_User: hpng
> ACS_Port: tty2
> Remote-Address: 10.0.0.0
> Authen-Method: None
> Service-Argument: shell
> AcsSessionID: MDCNMSACS002/242802909/91519025
> AuthenticationIdentityStore: Internal Users
> AuthenticationMethod: Lookup
> SelectedAccessService: TACACS
> SelectedCommandSet: Unrestricted
> IdentityGroup: IdentityGroup:AllGroups:HPNA-Device-Interaction
> Steps: 13005, 15008, 15004, 15012, 15041, 15006, 15013, 24210, 24212, 22037, 15044



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)