W dniu 22.11.2012 17:27, Rainer Gerhards pisze: Hi Rainer, hi all!
> Replying to myself... > >> I think you should tackle that beast from a different angle. Regex is >> NOT the way to go here. Mmnormalize is - that's *the* use case for that >> module. Just yesterday I have posted the relevant links to the mailing >> list (in reply to a similar question). Please have a look at the >> archive, I don't want to dig them out again (also, Google is good at >> finding them). I'll read about normalization, I'll be back in a couple of days. > Marcin, if you can provide some actual samples oft he messages you are > interested in, we can work together to create the rulebase. I could probably > create a tutorial out of that (if nothing decent enough exists). A link to > Cisco documentation describing the messages would also be useful. Here are a couple of samples (with changed ip addresses): 2012-11-23T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside 2012-11-23T10:47:43+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside 2012-11-23T10:47:44+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside 2012-11-23T10:49:30+01:00 0.0.0.0 : %ASA-4-400014: IDS:2004 ICMP echo request from 1.4.7.7 to 41.10.8.18 on interface outside 2012-11-23T10:49:30+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 1.4.7.7 on interface outside And now some samples with RSYSLOG_DebugFormat template: Debug line with all properties: FROMHOST: '192.168.0.254', fromhost-ip: '192.168.0.254', HOSTNAME: '0.0.0.0', PRI: 188, syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', TIMESTAMP: 'Nov 23 10:52:38', STRUCTURED-DATA: '-', msg: ' %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' escaped msg: ' %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' inputname: imudp rawmsg: '<188>Nov 23 2012 10:52:38 0.0.0.0 : %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' Debug line with all properties: FROMHOST: '192.168.0.254', fromhost-ip: '192.168.0.254', HOSTNAME: '0.0.0.0', PRI: 188, syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', TIMESTAMP: 'Nov 23 10:52:38', STRUCTURED-DATA: '-', msg: ' %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' escaped msg: ' %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' inputname: imudp rawmsg: '<188>Nov 23 2012 10:52:38 0.0.0.0 : %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' Debug line with all properties: FROMHOST: '192.168.0.254', fromhost-ip: '192.168.0.254', HOSTNAME: '0.0.0.0', PRI: 188, syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', TIMESTAMP: 'Nov 23 10:52:39', STRUCTURED-DATA: '-', msg: ' %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' escaped msg: ' %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.6/56799 by access-group "xyzww_access_in" [0x0, 0x0]' inputname: imudp rawmsg: '<188>Nov 23 2012 10:52:39 0.0.0.0 : %ASA-4-106023: Deny tcp src xyzww:192.168.2.192/52874 dst outside:8.23.5.206/56799 by access-group "xyzww_access_in" [0x0, 0x0]' Debug line with all properties: FROMHOST: '192.168.0.254', fromhost-ip: '192.168.0.254', HOSTNAME: '0.0.0.0', PRI: 188, syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', TIMESTAMP: 'Nov 23 10:52:41', STRUCTURED-DATA: '-', msg: ' %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from qwery-biuro:4500' escaped msg: ' %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from qwery-biuro:4500' inputname: imudp rawmsg: '<188>Nov 23 2012 10:52:41 0.0.0.0 : %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from qwery-biuro:4500' Debug line with all properties: FROMHOST: '192.168.0.254', fromhost-ip: '192.168.0.254', HOSTNAME: '0.0.0.0', PRI: 188, syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', TIMESTAMP: 'Nov 23 10:53:01', STRUCTURED-DATA: '-', msg: ' %ASA-4-106023: Deny icmp src outside:8.23.5.6 dst xyzww:1.20.8.1 (type 3, code 3) by access-group "outside_access_in" [0x0, 0x0]' escaped msg: ' %ASA-4-106023: Deny icmp src outside:8.23.5.6 dst xyzww:1.20.8.1 (type 3, code 3) by access-group "outside_access_in" [0x0, 0x0]' inputname: imudp rawmsg: '<188>Nov 23 2012 10:53:01 0.0.0.0 : %ASA-4-106023: Deny icmp src outside:8.23.5.6 dst xyzww:1.20.8.1 (type 3, code 3) by access-group "outside_access_in" [0x0, 0x0]' Thank you for tips. Marcin _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
