Re: Syslog parser issue

2018-10-30 Thread Muhammed Irshad 
Thanks Otto. BasicISEParser worked well. Could you please elaborate more on
structured data ? Is it something in header or message field in syslog
message in my example ? Just to under stand the working of syslogparser
library in detail to extend in future.
Also can I filter fields when using BasicISEParser ? I know we can filter
message with stellar but can we filter fields ? Like index only interested
fields ?

On Tue, Oct 30, 2018 at 11:29 PM Otto Fowler 
wrote:

> Per the spec which this is written to, if you don’t have structured data,
> you need to have a ‘-‘ marker.  So this is not valid 5424.  That is from a
> cursory look.
> Metron has a dedicated ISE parser, have you tried that?
>
> If you would like to have the parser have a setting to optionally accept
> missing structured data, you can open an issue @
> https://github.com/palindromicity/simple-syslog-5424/issues
> If/when resolved there, a jira to pick up the change in metron can be
> logged.
>
>
>
> On October 30, 2018 at 13:38:39, Muhammed Irshad (irshadkt@gmail.com)
> wrote:
>
> I am trying to test existing Syslog5424Parser with the logs from my
> cisco:ise log data. I am getting the below error message under
> MessageParserResult. Is the below format supported by existing syslog
> parser ? Or can I configure it to support this format ?
>
> Message sample :
> <182>1 2018-10-05T08:46:06+00:00 lxapp1492-admin.in.mycompany.com
> CISE_Profiler 0038547765 1 0 2018-10-05 18:46:06.972 +10:00 0538115228
> 80002 INFO  Profiler: Profiler EndPoint profiling event occurred,
> ConfigVersionId=267, OperatingSystem=FreeBSD 10.0-CURRENT (accuracy 92%),
> EndpointCertainityMetric=160, EndpointIPAddress=192.168.88.55,
> EndpointMacAddress=F8:0D:60:FF:86:E5, EndpointMatchedPolicy=Canon-Printer,
>
> Error message :
> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:93
> no viable alternative at input '1'
>
> --
> Muhammed Irshad K T
> Senior Software Engineer
> +919447946359
> irshadkt@gmail.com
> Skype : muhammed.irshad.k.t
>
>

-- 
Muhammed Irshad K T
Senior Software Engineer
+919447946359
irshadkt@gmail.com
Skype : muhammed.irshad.k.t

Re: Syslog parser issue

2018-10-30 Thread Otto Fowler 
Per the spec which this is written to, if you don’t have structured data,
you need to have a ‘-‘ marker.  So this is not valid 5424.  That is from a
cursory look.
Metron has a dedicated ISE parser, have you tried that?

If you would like to have the parser have a setting to optionally accept
missing structured data, you can open an issue @
https://github.com/palindromicity/simple-syslog-5424/issues
If/when resolved there, a jira to pick up the change in metron can be
logged.



On October 30, 2018 at 13:38:39, Muhammed Irshad (irshadkt@gmail.com)
wrote:

I am trying to test existing Syslog5424Parser with the logs from my
cisco:ise log data. I am getting the below error message under
MessageParserResult. Is the below format supported by existing syslog
parser ? Or can I configure it to support this format ?

Message sample :
<182>1 2018-10-05T08:46:06+00:00 lxapp1492-admin.in.mycompany.com
CISE_Profiler 0038547765 1 0 2018-10-05 18:46:06.972 +10:00 0538115228
80002 INFO  Profiler: Profiler EndPoint profiling event occurred,
ConfigVersionId=267, OperatingSystem=FreeBSD 10.0-CURRENT (accuracy 92%),
EndpointCertainityMetric=160, EndpointIPAddress=192.168.88.55,
EndpointMacAddress=F8:0D:60:FF:86:E5, EndpointMatchedPolicy=Canon-Printer,

Error message :
com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:93 no
viable alternative at input '1'

--
Muhammed Irshad K T
Senior Software Engineer
+919447946359
irshadkt@gmail.com
Skype : muhammed.irshad.k.t