Omar,
please look at the attached file with my very simple documentation.
The basic idea is the modification of event 0x210c0e.
We use this solution with Spectrum v. 9.1.2.12 on Windows servers.
It’s also tested with 9.2.0.3.
Hope this helps.
Regards Frank
PS: An info for all users of 9.2.0.3:
In 9.2.0.3 the switch “Show events for subcomponents (Ports, Applications,
etc)” in the Event Filter window is out of order!
You can click it but you will not get the subcomponents events!!!
Von: [email protected] [mailto:[email protected]]
Gesendet: Dienstag, 1. März 2011 11:19
An: spectrum
Betreff: [spectrum] Cisco ASA syslog mapping
Hi,
I'm using Spectrum 9.2 on Windows servers and would like to map some syslog
messages coming from Cisco ASA firewalls into events. Spectrum has support for
routers, switches and pix firewalls syslog messages. Is there a way to make
similar support for ASA firewalls? ASA model type is GnCiscoDev. There is
GenCisco.txt file in <Specroot>SS\CsVendor\Cisco_Router but it's empty.
Any advice is appreciated!
Srdačan pozdrav / Kind regards,
___________________
Omar Izetbegović
Sedam IT d.o.o.
HR - 10 000 Zagreb
Borongajska cesta 81a
Tel: +385 1 2353 738
Fax: +385 1 2353 707
Mob: +385 91 2353 738
www.sedamIT.hr
___________________
Napomena: Ova poruka sadrzi podatke povjerljive prirode, iskljucivo namijenjene
osobama oznacenima kao primateljima te se pristup od strane bilo koje druge
osobe smatra neovlastenim. Ukoliko niste oznaceni primatelj, svaka
distribucija, kopiranje, umnozavanje ili otkrivanje sadrzaja trecim osobama je
strogo zabranjeno i smatra se protuzakonitim. Ukoliko ste dobili ovu poruku, a
niste oznaceni primatelj, molimo Vas da sto prije obavijestite posiljatelja
poruke i unistite sve postojece kopije. Ova napomena takodjer potvrdjuje da je
ova elektronicka poruka testirana na postojanje racunalnih virusa.
Disclaimer: The information in this email is confidential and it is intended
solely for the addressee. Access to this email by anyone else is unauthorized.
If you are not the intended recipient, any distribution, copying, duplication
or disclosure is prohibited and may be unlawful. If you have received this
email in error, please notify the sender immediately and destroy it, and all
copies of it. This footnote also confirms that this email message has been
swept for the presence of computer viruses.
* --To unsubscribe from spectrum, send email to
[email protected]<mailto:[email protected]> with the body: unsubscribe spectrum
[email protected]<mailto:[email protected]>
Frank Elliger
Abteilung Informatik
HUK-COBURG
Bahnhofsplatz
96444 Coburg
Telefon: 09561 96-1870
Telefax: 09561 96-3670
E-Mail: [email protected]
Internet: www.huk.de
________________________________
HUK-COBURG Haftpflicht-Unterstützungs-Kasse kraftfahrender Beamter Deutschlands
a. G. in Coburg
Reg.-Gericht Coburg HRB 100; St.-Nr. 9212/101/00021
Sitz der Gesellschaft: Bahnhofsplatz, 96444 Coburg
Vorsitzender des Aufsichtsrats: Werner Strohmayr.
Vorstand: Dr. Wolfgang Weiler (Sprecher), Wolfgang Flaßhoff, Stefan Gronbach,
Klaus-Jürgen Heitmann, Dr. Hans Olav Herøy, Jörn Sandig.
________________________________
Diese Nachricht enthält vertrauliche und/oder rechtlich geschützte
Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtümlich
erhalten haben,
informieren Sie bitte sofort den Absender und vernichten Sie diese Nachricht.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Nachricht ist
nicht gestattet.
This information may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this information in
error) please notify the
sender immediately and destroy this information.
Any unauthorized copying, disclosure or distribution of the material in this
information is strictly forbidden.
________________________________
---
To unsubscribe from spectrum, send email to [email protected] with the body:
unsubscribe spectrum [email protected]
ASA Alrms in Spectrum
# Custom EventDisp File
# 1.Modify the event 0x210c0e condition rule to generate a new event 0xfff11001
for ASA syslog messages
0x210c0e R CA.EventCondition, "(regexp({v 3}, {S \"Syslog\"}) && regexp({v 4},
{S \"ASA\"}))" , "0xfff11001 -:-","({v 2} == {I 1}) || ({v 2} == {I 2})" ,
"0x21001c -:-","({v 2} == {I 3}) || ({v 2} == {I 4})" , "0x21001b -:-","({v 2}
== {I 5})" , "0x21001a -:-","default" , "0x210017 -:-"
# 2..Create a event condition rule for the new event to select the messages and
generate new events.
# 3. In this rule copy var 4 to var 76620 in the new events, to get the alarm
title from the syslog message
0xfff11001 E 0 R CA.EventCondition, "(regexp({v 4}, {S \"ASA-1-104001\"}))" ,
"0xfff11100 1:1,2:2,3:3,4:76620,5:5","(regexp({v 4}, {S \"ASA-1-104002\"}))" ,
"0xfff11101 1:1,2:2,3:3,4:76620,5:5","(regexp({v 4}, {S \"ASA-1-104004\"}))" ,
"0xfff11102 1:1,2:2,3:3,4:76620,5:5","(regexp({v 4}, {S \"ASA-1-103001\"}) ||
regexp({v 4}, {S \"ASA-1-105003\"}) || regexp({v 4}, {S \"ASA-1-105004\"}) ||
regexp({v 4}, {S \"ASA-1-105005\"}) || regexp({v 4}, {S \"ASA-1-105008\"}) ||
regexp({v 4}, {S \"ASA-1-105032\"}) || regexp({v 4}, {S \"ASA-1-105043\"}) ||
regexp({v 4}, {S \"ASA-1-709003\"}) || regexp({v 4}, {S \"ASA-1-709004\"}) ||
regexp({v 4}, {S \"ASA-1-709006\"}) || regexp({v 4}, {S \"ASA-4-411001\"}) ||
regexp({v 4}, {S \"ASA-4-411002\"}))" , "0xfff11103
1:1,2:2,3:3,4:76620,5:5","({I 0} == {I 0})" , "0xfff11104 -:-"
# 4. Use the new events to generate alarms with variable severity
0xfff11100 E 0 A { v 2 CiscoASA.ASATrapSeverityListe },0xfff11100,U
0xfff11101 E 0 A { v 2 CiscoASA.ASATrapSeverityListe },0xfff11101,U
0xfff11102 E 0 A { v 2 CiscoASA.ASATrapSeverityListe },0xfff11102,U
0xfff11103 E 0 A { v 2 CiscoASA.ASATrapSeverityListe },0xfff11103,U
0xfff11104 E 0
#######################################################################################################################################################
# ASATrapSeverityListe (Path:
custom\Events\CiscoASA\SeverityMaps\ASATrapSeverityListe)
0 0
1 3
2 3
3 2
4 2
5 1
6 0
#######################################################################################################################################################
# Probable Cause File Probfff11101 (Example)
ASA-1-104002: (Primary) Switching to STNDBY
SYMPTOMS:
ASA has switched from primary to standby
PROBABLE CAUSES:
ASA has switched from primary to standby
RECOMMENDED ACTIONS:
1) Refer to the Event Message associated with this alarm for additional details
that the device may have provided about the cause of this condition.
2) Review the Events associated with this model that occurred in the same time
frame as this alarm in order to gain insight into the device's state. These
can be viewed from the Events tab in OneClick.
