[ https://issues.apache.org/jira/browse/METRON-1065?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16345246#comment-16345246 ]
ASF GitHub Bot commented on METRON-1065: ---------------------------------------- Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/670 Deconflict and bump? > Grok pattern for Cisco ASA Parser expects syslog_pri > ---------------------------------------------------- > > Key: METRON-1065 > URL: https://issues.apache.org/jira/browse/METRON-1065 > Project: Metron > Issue Type: Improvement > Affects Versions: 0.4.1 > Reporter: Bas van de Lustgraaf > Priority: Minor > > The current grok pattern `CISCO_TAGGED_SYSLOG` expects to have a syslog > priority present at the start of each message. Unfortunately, this is not > always the case. > *Currently supported:* > {noformat} > <162>Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from > 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside > {noformat} > *Not supported by the current Grok pattern:* > {noformat} > Aug 05 2016 01:02:25: %ASA-2-106006: Deny inbound UDP from > 10.25.177.164/63279 to 10.2.52.71/161 on interface Inside > {noformat} > My suggestion would be to edit the `CISCO_TAGGED_SYSLOG` pattern to make the > following part optional: > {noformat} > <%{POSINT:syslog_pri}> > {noformat} > And grep the severity from the `%ASA-4-106023` part. The part between the > hyphens, is the severity (source > http://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html). -- This message was sent by Atlassian JIRA (v7.6.3#76005)