This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Syslog Parser Extension Syntax

Posted on 11-10-2024 05:46 AM
JuLenny
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

I'm using a Cisco Router and when I set initially the forwarder to include a CISCO_ROUTER forwarder, it provided very little information in the UDM.

I then I switched to a CISCO_VPN forwarder that didn't parse my log entry at all and then when I tried the CISCO_SWITCH forwarder, I'm getting more information, as you can see herein, but not the important information I need.

That's the RAW log:

 

 

<14>1 2024-11-10T21:23:25+08:00 router0ABCD log_sslvpnac - - [meta sequenceId="16"] facility=SslVpn;msg=INFO sslvpn_appl.c.146[747CF470] Client is Web Browser;

 

 

That's the UDM. As you can see, the msg data (that I need), wasn't parsed:

 

 

metadata.base_labels.allow_scoped_access = true
metadata.base_labels.log_types = "CISCO_SWITCH"
metadata.base_labels.namespaces = "LAN"
metadata.event_timestamp.seconds = 1731245064
metadata.event_timestamp.nanos = 229863000
metadata.event_type = "STATUS_UPDATE"
metadata.id = "AAAAAF2JL0NEDomaQVosIKN7W6cAAAAABgAAAA8AAAA="
metadata.ingested_timestamp.seconds = 1731245064
metadata.ingested_timestamp.nanos = 229863000
metadata.log_type = "CISCO_SWITCH"
metadata.product_event_type = "log_sslvpnac"
metadata.product_name = "Cisco Switch"
metadata.vendor_name = "Cisco"
principal.asset.hostname = "router0ABCD"
principal.hostname = "router0ABCD"
principal.namespace = "LAN"

 

 

Is it possible to add in the events section of the Rule Editor the ability to search for a string in the raw log itself, or am I forced to modify the parser (which I don't know how)?

Alternatively, is there another Cisco forwarder anyone can recommend that may yield a better outcome?

Thanks

Solved Solved
0 16 901
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
JuLenny
Bronze 4
Bronze 4
In response to JuLenny
Reply posted on --/--/---- --:-- AM

I managed to create this extension that I could validate. It doesn't breakdown the fields like I wanted, but using RegEx afterwards does yield the outcome I need:

filter {

  mutate {

    replace => {

      "syslog" => ""

      "description" => ""

    }

  }

 

  grok {

    match => {

        "message" => ["(?<syslog>.*?)\[meta sequenceId=\"\d+\"\]\s*(?<description>.*)"]

    }

    overwrite => ["syslog", "description"]

  }

if [description] != "" {

    mutate {

        replace => {

            "event.idm.read_only_udm.metadata.description" => "%{description}"

        }

    }

}
 

#statedump{}

  mutate {

    merge => {

        "@output" => "event"

    }

  }

}


I hope that it will be useful to other members of this community 

View solution in original post

Jump to Solution
0 Likes
16 REPLIES 16
Top Solution Authors
View all