Here are some
#== Cisco ASA ==
CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}(
%{SYSLOGHOST:sysloghost})?: %%{CISCOTAG:ciscotag}:
CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
# Common Particles
CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by
ACL|discarded|est-allowed|Dropping|created|deleted
CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid
transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
CISCO_DIRECTION Inbound|inbound|Outbound|outbound
CISCO_INTERVAL first hit|%{INT}-second interval
CISCO_XLATE_TYPE static|dynamic
# ASA-2-106001
CISCOFW106001 %{CISCO_DIRECTION:direction} %{WORD:protocol} connection
%{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to
%{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface
%{GREEDYDATA:interface}
# ASA-2-106006, ASA-2-106007, ASA-2-106010
CISCOFW106006_106007_106010 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction}
%{WORD:protocol} (?:from|src)
%{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:to|dst)
%{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface
%{DATA:interface}|due to %{CISCO_REASON:reason})
# ASA-3-106014
CISCOFW106014 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction}
%{WORD:protocol} src
%{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst
%{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type
%{INT:icmp_type}, code %{INT:icmp_code}\)
I had to manually edit each one in graylog. When I was on the older version
of graylog, it imported this list just fine.
On Tuesday, May 17, 2016 at 10:15:15 AM UTC-4, Jochen Schalanda wrote:
>
> Hi Matt,
>
> the Grok pattern "CISCOFW302020_302021" is simply invalid (missing a
> closing parenthesis) at least according to the error message you've posted.
> Could you please post the complete Grok patterns so that we can take a look
> at them?
>
> Cheers,
> Jochen
>
> On Tuesday, 17 May 2016 15:04:19 UTC+2, Matt Zarba wrote:
>>
>> Hello,
>>
>> I just built a new server with Graylog 2.0 and now I cant import the
>> cisco asa grok patterns. It only imports part of the pattern. This same
>> list worked fine before I rebuilt the server. I saw a couple of articles
>> talking about whitespace breaking the patterns, but i could not figure out
>> how to fix this problem.
>>
>>
>> This picture shows the patterns that were imported. As you can see they
>> are only importing part of the pattern.
>>
>>
>> <https://lh3.googleusercontent.com/-GwyMdabInII/VzsV7wAr-zI/AAAAAAAALxU/YyECSrezYwUiEvjSZx3cCZMAm5DjtdILwCLcB/s1600/cisco%2B1.PNG>
>>
>>
>>
>> When I tried to import the list I would get these errors in the chrome
>> console(network tab). Notice how it sees the : after the ? as the end of
>> the pattern.
>>
>>
>>
>> <https://lh3.googleusercontent.com/-y7cPdCixVSg/VzsWLOFHjqI/AAAAAAAALxY/pFYklPQS0EAID2Q7J_Jng7pmiEftlLR2wCLcB/s1600/cisco%2B2.PNG>
>>
>>
>> Any help would be appreciated.
>>
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/6ac75f07-d6cf-4482-b37a-19c91689f79e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
