Kyle Richardson commented on METRON-363:
I'm currently testing with ASA v9.1.x and should be able to contribute some
anonymized test data back to the project.
One issue I'm running into is there are some events which do not contain all of
the standard fields defined at
example, ASA-4-733100 events are logged for basic threat detections but do not
include source and destination (more information can be found at
My question is how do we want to handle these situations? Here are a few
# Drop the events entirely; no enrichment or indexing
# Provide normalized JSON events without the ip_src_addr and ip_dst_addr fields
# Provide normalized JSON events with null values for the ip_arc_addr and
To some extent this decision depends on how the enrichment and indexing code
handles missing or null values.
I'll also pose this question to the dev mailing list.
> Fix Cisco ASA Parser
> Key: METRON-363
> URL: https://issues.apache.org/jira/browse/METRON-363
> Project: Metron
> Issue Type: Improvement
> Reporter: Kyle Richardson
> Priority: Minor
> The current ASA parser is broken. This effort is to rework the current parser
> to support the variety of syslog messages produced by Cisco ASA devices as
> well as provide the necessary support files/configs for easier deployment of
> the Storm topology.
This message was sent by Atlassian JIRA