From 71a342e9034b639ca1c3735c6e47f00909d3bfa5 Mon Sep 17 00:00:00 2001 From: Wing Date: Sat, 24 Sep 2016 10:52:20 +0800 Subject: [PATCH] Update Cisco patterns - CISCOTAG would have underscore in first part - CISCOTAG does not need non-capture (?:...) in the last part - CISCO_TAGGED_SYSLOG add support Cisco switch, switch will have a sequence number --- patterns/firewalls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patterns/firewalls b/patterns/firewalls index aa4e1e59..494cdd45 100644 --- a/patterns/firewalls +++ b/patterns/firewalls @@ -2,9 +2,9 @@ NETSCREENSESSIONLOG %{SYSLOGTIMESTAMP:date} %{IPORHOST:device} %{IPORHOST}: NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent} rcvd=%{INT:rcvd} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason} #== Cisco ASA == -CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}: +CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>(%{POSINT:seq_num}: )?%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?: %%{CISCOTAG:ciscotag}: CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} -CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+) +CISCOTAG [A-Z0-9_]+-%{INT}-[A-Z0-9_]+ # Common Particles CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)*