Hi Matt,
please attach the complete list. The Grok pattern mentioned in your initial
post is missing in that list.
The handling of Grok patterns didn't change in Graylog 2.0.x compared to
Graylog 1.x, so if valid Grok patterns can't be imported into Graylog 2.0.x
anymore, that's a bug.
Cheers,
Jochen
On Tuesday, 17 May 2016 17:22:20 UTC+2, Matt Zarba wrote:
>
> Here are some
>
> #== Cisco ASA ==
> CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}(
> %{SYSLOGHOST:sysloghost})?: %%{CISCOTAG:ciscotag}:
> CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME}
> CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+)
> # Common Particles
> CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by
> ACL|discarded|est-allowed|Dropping|created|deleted
> CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid
> transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*
> CISCO_DIRECTION Inbound|inbound|Outbound|outbound
> CISCO_INTERVAL first hit|%{INT}-second interval
> CISCO_XLATE_TYPE static|dynamic
> # ASA-2-106001
> CISCOFW106001 %{CISCO_DIRECTION:direction} %{WORD:protocol} connection
> %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to
> %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface
> %{GREEDYDATA:interface}
> # ASA-2-106006, ASA-2-106007, ASA-2-106010
> CISCOFW106006_106007_106010 %{CISCO_ACTION:action}
> %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src)
> %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:to|dst)
> %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface
> %{DATA:interface}|due to %{CISCO_REASON:reason})
> # ASA-3-106014
> CISCOFW106014 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction}
> %{WORD:protocol} src
> %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst
> %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type
> %{INT:icmp_type}, code %{INT:icmp_code}\)
>
>
>
> I had to manually edit each one in graylog. When I was on the older
> version of graylog, it imported this list just fine.
>
>
>
> On Tuesday, May 17, 2016 at 10:15:15 AM UTC-4, Jochen Schalanda wrote:
>>
>> Hi Matt,
>>
>> the Grok pattern "CISCOFW302020_302021" is simply invalid (missing a
>> closing parenthesis) at least according to the error message you've posted.
>> Could you please post the complete Grok patterns so that we can take a look
>> at them?
>>
>> Cheers,
>> Jochen
>>
>> On Tuesday, 17 May 2016 15:04:19 UTC+2, Matt Zarba wrote:
>>>
>>> Hello,
>>>
>>> I just built a new server with Graylog 2.0 and now I cant import the
>>> cisco asa grok patterns. It only imports part of the pattern. This same
>>> list worked fine before I rebuilt the server. I saw a couple of articles
>>> talking about whitespace breaking the patterns, but i could not figure out
>>> how to fix this problem.
>>>
>>>
>>> This picture shows the patterns that were imported. As you can see they
>>> are only importing part of the pattern.
>>>
>>>
>>> <https://lh3.googleusercontent.com/-GwyMdabInII/VzsV7wAr-zI/AAAAAAAALxU/YyECSrezYwUiEvjSZx3cCZMAm5DjtdILwCLcB/s1600/cisco%2B1.PNG>
>>>
>>>
>>>
>>> When I tried to import the list I would get these errors in the chrome
>>> console(network tab). Notice how it sees the : after the ? as the end of
>>> the pattern.
>>>
>>>
>>>
>>> <https://lh3.googleusercontent.com/-y7cPdCixVSg/VzsWLOFHjqI/AAAAAAAALxY/pFYklPQS0EAID2Q7J_Jng7pmiEftlLR2wCLcB/s1600/cisco%2B2.PNG>
>>>
>>>
>>> Any help would be appreciated.
>>>
>>>
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/f43b4ac6-ee67-4bd9-acb0-670ba8b336a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
