You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/04/10 13:57:00 UTC
[jira] [Commented] (METRON-1065) Grok pattern for Cisco ASA Parser
expects syslog_pri
[ https://issues.apache.org/jira/browse/METRON-1065?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16432296#comment-16432296 ]
ASF GitHub Bot commented on METRON-1065:
----------------------------------------
Github user ottobackwards commented on the issue:
https://github.com/apache/metron/pull/670
What is the status of this?
> Grok pattern for Cisco ASA Parser expects syslog_pri
> ----------------------------------------------------
>
> Key: METRON-1065
> URL: https://issues.apache.org/jira/browse/METRON-1065
> Project: Metron
> Issue Type: Improvement
> Affects Versions: 0.4.1
> Reporter: Bas van de Lustgraaf
> Priority: Minor
>
> The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog priority present at the start of each message. Unfortunately, this is not always the case.
> *Currently supported:*
> {noformat}
> <162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
> {noformat}
> *Not supported by the current Grok pattern:*
> {noformat}
> Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
> {noformat}
> My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the following part optional:
> {noformat}
> <%{POSINT:syslog_pri}>
> {noformat}
> And grep the severity from the `%ASA-4-106023` part. The part between the hyphens, is the severity (source http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)