[
https://issues.apache.org/jira/browse/METRON-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494991#comment-16494991
]
manisha tank edited comment on METRON-1583 at 5/30/18 12:31 PM:
----------------------------------------------------------------
!cisco_log_error.png!
error message
java.lang.RuntimeException: [Metron] Message 'Oct 24 20:55:00 192.168.10.2
<166>Oct 24 2017 20:53:48: %ASA-6-106100: access-list acl_out denied icmp
outside/192.168.10.2(3) -> inside/172.20.4.75(1) hit-cnt 33 300-second interval
[0x71761f18, 0x0]' does not match pattern '%\{CISCO_TAGGED_SYSLOG}' at
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184) at
org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45)
at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:177) at
org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734)
at
org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466)
at
org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40)
at
org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451)
at
org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430)
at
org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
at
org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853)
at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) at
clojure.lang.AFn.run(AFn.java:22) at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: [Metron] Message 'Oct 24 20:55:00
192.168.10.2 <166>Oct 24 2017 20:53:48: %ASA-6-106100: access-list acl_out
denied icmp outside/192.168.10.2(3) -> inside/172.20.4.75(1) hit-cnt 33
300-second interval [0x71761f18, 0x0]' does not match pattern
'%\{CISCO_TAGGED_SYSLOG}' at
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178) ...
12 more
was (Author: manisha):
!cisco_log_error.png!
error message
java.lang.RuntimeException: [Metron] Message 'Oct 24 20:55:00 192.168.10.2
<166>Oct 24 2017 20:53:48: %ASA-6-106100: access-list acl_out denied icmp
outside/192.168.10.2(3) -> inside/172.20.4.75(1) hit-cnt 33 300-second interval
[0x71761f18, 0x0]' does not match pattern '%\{CISCO_TAGGED_SYSLOG}' at
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:184) at
org.apache.metron.parsers.interfaces.MessageParser.parseOptional(MessageParser.java:45)
at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:177) at
org.apache.storm.daemon.executor$fn__6573$tuple_action_fn__6575.invoke(executor.clj:734)
at
org.apache.storm.daemon.executor$mk_task_receiver$fn__6494.invoke(executor.clj:466)
at
org.apache.storm.disruptor$clojure_handler$reify__6007.onEvent(disruptor.clj:40)
at
org.apache.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:451)
at
org.apache.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:430)
at
org.apache.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:73)
at
org.apache.storm.daemon.executor$fn__6573$fn__6586$fn__6639.invoke(executor.clj:853)
at org.apache.storm.util$async_loop$fn__554.invoke(util.clj:484) at
clojure.lang.AFn.run(AFn.java:22) at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: [Metron] Message 'Oct 24 20:55:00
192.168.10.2 <166>Oct 24 2017 20:53:48: %ASA-6-106100: access-list acl_out
denied icmp outside/192.168.10.2(3) -> inside/172.20.4.75(1) hit-cnt 33
300-second interval [0x71761f18, 0x0]' does not match pattern
'%\{CISCO_TAGGED_SYSLOG}' at
org.apache.metron.parsers.asa.BasicAsaParser.parse(BasicAsaParser.java:178) ...
12 more
> issue regarding cisco asa logs
> ------------------------------
>
> Key: METRON-1583
> URL: https://issues.apache.org/jira/browse/METRON-1583
> Project: Metron
> Issue Type: Bug
> Affects Versions: 0.4.2
> Reporter: manisha tank
> Priority: Major
> Fix For: 0.4.2
>
> Attachments: cisco_log_error.png
>
>
> I am trying to ingest cisco asa logs but I am facing some issue .
> I have created log pattern below
> CISCO_TAGGED_SYSLOG ^%\{SYSLOGTIMESTAMP} %\{SYSLOGHOST:sysloghost}
> <%\{POSINT:syslog_pri}>%\{CISCOTIMESTAMP}?: %%\{CISCOTAG:ciscotag}:
> %\{GREEDYDATA:message}
> CISCOTIMESTAMP %\{MONTH} +%\{MONTHDAY}(?: %\{YEAR})? %\{TIME}
> CISCOTAG [A-Z0-9]+-%\{INT}-(?:[A-Z0-9_]+)
> sample logs
> Oct 25 02:14:52 172.20.4.5 <163>Oct 24 2017 21:29:23: %ASA-3-304006: URL
> Server 172.19.83.105 not responding
> Oct 25 02:14:51 198.6.1.2 <164>Oct 24 2017 21:28:47: %ASA-4-410001: Dropped
> UDP DNS reply from outside:198.6.1.2/53 to inside:172.20.220.87/63887; packet
> length 932 bytes exceeds configured limit of 512 bytes
> Oct 25 02:14:51 172.20.4.5 <164>Oct 24 2017 21:28:34: %ASA-4-733100: [
> Scanning] drop rate-1 exceeded. Current burst rate is 46 per second, max
> configured rate is 10; Current average rate is 103 per second, max configured
> rate is 5; Cumulative total count is 62196
> Oct 25 02:14:51 172.20.4.5 <164>Oct 24 2017 21:28:21: %ASA-4-733100: [
> SYSLOG 514] drop rate-1 exceeded. Current burst rate is 31 per second, max
> configured rate is 40; Current average rate is 119 per second, max configured
> rate is 20; Cumulative total count is 71776
>
> Oct 25 02:14:52 192.168.19.7 <164>Oct 24 2017 21:29:29: %ASA-4-419002:
> Duplicate TCP SYN from inside:192.168.19.7/64266 to outside:192.168.10.10/257
> with different initial sequence number
>
> PFA error facing while inegesting cisco asa logs
>
> !cisco_asa_logs_error.png!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
