You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by "Bas van de Lustgraaf (JIRA)" <ji...@apache.org> on 2017/07/26 10:52:02 UTC

[jira] [Created] (METRON-1065) Grok pattern for Cisco ASA Parser expects syslog_pri

Bas van de Lustgraaf created METRON-1065:
--------------------------------------------

             Summary: Grok pattern for Cisco ASA Parser expects syslog_pri
                 Key: METRON-1065
                 URL: https://issues.apache.org/jira/browse/METRON-1065
             Project: Metron
          Issue Type: Improvement
    Affects Versions: 0.4.1
            Reporter: Bas van de Lustgraaf
            Priority: Minor


The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog priority present at the start of each message. Unfortunately, this is not always the case.

*Currently supported:*
{noformat}
<162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
{noformat}

*Not supported by the current Grok pattern:*
{noformat}
Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
{noformat}

My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the following part optional: <%{POSINT:syslog_pri}>

And grep the severity from the `%ASA-4-106023` part. The part between the hyphens, is the severity (source http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)