Hi Ali, For the grok parser there are essentially two passes at the grok pattern. The first determines the header and the device type, which then controls the pattern used for the second pass, which is device specific. Both patterns depend on the standard grok patterns in /patterns/asa on either the hdfs patterns path or the resources within compiled jars.
If you wish to extend these you could just edit the patterns on the hdfs location (if for example you have additional fields you need to extract beyond the device defaults). This could be brittle to parser upgrades so it's worth tracking any future changes to be underlying base patterns. Simon > On 8 Mar 2017, at 00:13, Ali Nazemian <alinazem...@gmail.com> wrote: > > Hi Kyle, > > Thank you very much. I should have asked the question earlier. We have done > the most of the Grok statement implementations so far! I haven't checked the > source code for any Grok sample parser. > > For the Grok deployment, are you saying that we need to put all of the grok > statements inside the Metron Management-UI and we only need to create a Kafka > topic for that? > > Regards, > Ali > >> On Tue, Mar 7, 2017 at 11:26 PM, Kyle Richardson <kylerichards...@gmail.com> >> wrote: >> Hi Ali, >> >> There is a grok-based ASA parser included in the Metron code base that you >> can try out. If you find it's missing patterns or requires modifications, >> I'd be happy to work with you to improve on it. >> >> You should be able to test it out by creating a new Kafka topic 'asa' and >> pointing your raw logs there. Let me know if you run into any issues. >> >> Thanks, >> Kyle >> >>> On Mon, Mar 6, 2017 at 9:51 PM, Ali Nazemian <alinazem...@gmail.com> wrote: >>> Hi all, >>> >>> I am building a customized version of ASA parser using Grok statements. I >>> have prepared the Grok requirements so far. I am using the following manual >>> which has been provided for Grok squid parser. I couldn't find anything >>> else as an end-to-end manual for deploying a Grok parser, and I have some >>> trouble to map this manual with the Hortonworks Cyber Security release. For >>> example, I couldn't find the step-5 alternative in Hortonworks one. I would >>> be grateful if somebody can provide a link for better and more up-to-date >>> manual for deploying a Grok Parser in Meron 0.3. >>> >>> Regards, >>> Ali >> >
