You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Bas van de Lustgraaf (JIRA)" <ji...@apache.org> on 2017/07/26 10:52:02 UTC
[jira] [Created] (METRON-1065) Grok pattern for Cisco ASA Parser
expects syslog_pri
Bas van de Lustgraaf created METRON-1065:
--------------------------------------------
Summary: Grok pattern for Cisco ASA Parser expects syslog_pri
Key: METRON-1065
URL: https://issues.apache.org/jira/browse/METRON-1065
Project: Metron
Issue Type: Improvement
Affects Versions: 0.4.1
Reporter: Bas van de Lustgraaf
Priority: Minor
The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog priority present at the start of each message. Unfortunately, this is not always the case.
*Currently supported:*
{noformat}
<162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
{noformat}
*Not supported by the current Grok pattern:*
{noformat}
Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
{noformat}
My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the following part optional: <%{POSINT:syslog_pri}>
And grep the severity from the `%ASA-4-106023` part. The part between the hyphens, is the severity (source http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)