[
https://issues.apache.org/jira/browse/METRON-1065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bas van de Lustgraaf updated METRON-1065:
-----------------------------------------
Description:
The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog
priority present at the start of each message. Unfortunately, this is not
always the case.
*Currently supported:*
{noformat}
<162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from
10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
{noformat}
*Not supported by the current Grok pattern:*
{noformat}
Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279
to 10.2.52.71/161 on interface Inside
{noformat}
My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the
following part optional:
{noformat}
<%{POSINT:syslog_pri}>
{noformat}
And grep the severity from the `%ASA-4-106023` part. The part between the
hyphens, is the severity (source
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html).
was:
The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog
priority present at the start of each message. Unfortunately, this is not
always the case.
*Currently supported:*
{noformat}
<162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from
10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
{noformat}
*Not supported by the current Grok pattern:*
{noformat}
Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from 10.25.177.164/63279
to 10.2.52.71/161 on interface Inside
{noformat}
My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the
following part optional: <%{POSINT:syslog_pri}>
And grep the severity from the `%ASA-4-106023` part. The part between the
hyphens, is the severity (source
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html).
> Grok pattern for Cisco ASA Parser expects syslog_pri
> ----------------------------------------------------
>
> Key: METRON-1065
> URL: https://issues.apache.org/jira/browse/METRON-1065
> Project: Metron
> Issue Type: Improvement
> Affects Versions: 0.4.1
> Reporter: Bas van de Lustgraaf
> Priority: Minor
>
> The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog
> priority present at the start of each message. Unfortunately, this is not
> always the case.
> *Currently supported:*
> {noformat}
> <162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from
> 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
> {noformat}
> *Not supported by the current Grok pattern:*
> {noformat}
> Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from
> 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside
> {noformat}
> My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the
> following part optional:
> {noformat}
> <%{POSINT:syslog_pri}>
> {noformat}
> And grep the severity from the `%ASA-4-106023` part. The part between the
> hyphens, is the severity (source
> http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
