You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Morgan Emery (JIRA)" <ji...@apache.org> on 2016/05/17 17:40:13 UTC

[jira] [Created] (METRON-166) Create Big IP Parser

Morgan Emery created METRON-166:
-----------------------------------

             Summary: Create Big IP Parser
                 Key: METRON-166
                 URL: https://issues.apache.org/jira/browse/METRON-166
             Project: Metron
          Issue Type: New Feature
            Reporter: Morgan Emery
            Priority: Minor


Create a parser for Big IP VPN logs. There are multiple log types, below are some samples with their expected parsed outputs.

<141>Apr 19 19:24:29 mfugjchwna38k notice mdd4[6456]: 90329500:5: 37451372: New session from client IP 10.000.11.000 (ST=/CC=/C=) at VIP 123.45.678.90 Listener /Common/access.google.com_443 (Reputation=Unknown) 
{
	"priority": 141,
	"timestamp": 1461093869000,
	"hostname": "mfugjchwna38k",
	"severity": "notice",
	"process": "mdd4",
	"process_id": 6456,
	"ip_src_addr": "10.000.11.000",
	"ip_vip": "123.45.678.90",
	"big_ip_log_code": 90329500,
	"big_ip_message_type": "session",
	"vpn_session_id": 37451372,
	"source.type": "bigip",
	"original_string": "<141>Apr 19 19:24:29 mfugjchwna38k notice mdd4[6456]: 90329500:5: 37451372: New session from client IP 10.000.11.000 (ST=/CC=/C=) at VIP 123.45.678.90 Listener /Common/access.google.com_443 (Reputation=Unknown)"
}

<141>Mar 31 13:46:35 mfugjchwna38k notice apd[6848]: 90329113:5: 1d0bf7c7: session.logon.euid is ABC906 
{
	"priority": 141
	"timestamp": "1459431995000"
	"hostname": "mfugjchwna38k"
	"severity": "notice"
	"process": "apd"
	"process_id": 6848
	"big_ip_log_code": 90329113
	"big_ip_message_type": "login"
	"vpn_session_id": "1d0bf7c7"
	"user_id": "ABC906",
	"source.type": "bigip",
	"original_string": "<141>Mar 31 13:46:35 mfugjchwna38k notice apd[6848]: 90329113:5: 1d0bf7c7: session.logon.euid is IKU906"
}

<141>Mar 31 13:59:37 mfugjchwna38k notice mdd[6456]: 90329521:5: 690fe490: Session statistics - bytes in: 3032, bytes out: 469 
{
	"priority": 141
	"timestamp": 1459432777000
	"hostname": "mfugjchwna38k"
	"severity": "notice"
	"process": "mdd"
	"process_id": 6456
	"big_ip_log_code": 90329521
	"vpn_session_id": "690fe490"
	"big_ip_message_type": "statistics"
	"bytesIn": 3032
	"bytesOut": 469 
	"source.type": "bigip",
	"original_string": "<141>Mar 31 13:59:37 mfugjchwna38k notice mdd[6456]: 90329521:5: 690fe490: Session statistics - bytes in: 3032, bytes out: 469"
}

<141>Mar 31 13:59:32 vdcbigaion02p notice apd[26861]: 90329102:5: 01030c62: Access policy result: Network_Access 
{
	"priority": 141
	"timestamp": 1459447172
	"hostname": "vdcbigaion02p"
	"severity": "notice"
	"process": "apd"
	"process_id": 26861
	"big_ip_log_code": 90329102
	"vpn_session_id": "01030c62"
	"big_ip_message_type": "access policy result"
	"access_policy_result": "Network_Access"
	"source.type": "bigip",
	"original_string": "<141>Mar 31 13:59:32 vdcbigaion02p notice apd[26861]: 90329102:5: 01030c62: Access policy result: Network_Access"
}

<141>Mar 31 13:59:31 mfugjchwna38k notice apd[6848]: 90329115:5: 090faa3e: Following rule 'fallback' from item 'clog1220' to terminalout 'Out'  
{
	"priority": 141
	"timestamp": 1459447171000
	"hostname": "mfugjchwna38k"
	"severity": "notice"
	"process": "apd"
	"process_id": 6848
	"big_ip_log_code": 90329115
	"big_ip_message_type": "session"
	"vpn_session_id": "090faa3e"
	"message": "Following rule 'fallback' from item 'clog1220' to terminalout 'Out'"
	"source.type": "bigip",
	"original_string": "<141>Mar 31 13:59:31 mfugjchwna38k notice apd[6848]: 90329115:5: 090faa3e: Following rule 'fallback' from item 'clog1220' to terminalout 'Out'"
}

<182>Mar 31 13:59:34 vdcbigaion01p info logger: [ssl_acc] 10.24.248.20 - admin [31/Mar/2016:13:59:34 +0000] "/iControl/iControlPortal.cgi" 200 670 
{
	"priority": 182
	"timestamp": 1459432774000
	"hostname": "vdcbigaion01p"
	"severity": "info"
	"big_ip_message_type": "system"
	"message": "logger: [ssl_acc] 10.24.248.20 - admin [31/Mar/2016:13:59:34 +0000] "/iControl/iControlPortal.cgi" 200 670" 
	"source.type": "bigip",
	"original_string": "<182>Mar 31 13:59:34 vdcbigaion01p info logger: [ssl_acc] 10.24.248.20 - admin [31/Mar/2016:13:59:34 +0000] "/iControl/iControlPortal.cgi" 200 670"
}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)