[ https://issues.apache.org/jira/browse/METRON-176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Sirota updated METRON-176: -------------------------------- Labels: ParserExtension (was: ) > Create Cisco-ACS parser > ----------------------- > > Key: METRON-176 > URL: https://issues.apache.org/jira/browse/METRON-176 > Project: Metron > Issue Type: Improvement > Reporter: Deeptaanshu Kumar > Labels: ParserExtension > > I will be creating a parser to handle Cisco-ACS logs. > Here are is a sample log: > <181>May 18 23:12:07 MDCNMSACS002 CSCOacs_Passed_Authentications 0093197809 2 > 0 2016-05-18 23:12:07.001 -04:00 1214019921 5202 NOTICE > Device-Administration: Command Authorization succeeded, > ACSVersion=acs-5.8.0.32-B.442.x86_64, ConfigVersionId=2097, Device IP > Address=10.0.0.0, DestinationIPAddress=10.0.0.0, DestinationPort=49, > UserName=hpna, CmdSet=[ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ], > Protocol=Tacacs, MatchedCommandSet=Unrestricted, RequestLatency=5, > Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, > User=hpna, Port=tty2, Remote-Address=10.0.0.0, Authen-Method=None, > Service-Argument=shell, AcsSessionID=MDCNMSACS002/242802909/91519025, > AuthenticationIdentityS tore=Internal Users, AuthenticationMethod=Lookup, > SelectedAccessService=TACACS, SelectedCommandSet=Unrestricted, > IdentityGroup=IdentityGroup:All Groups:HPNA-Device-Interaction, Step=13005 , > Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , > Step=24210 , Step=24212 , Step=22037 , Step=15044 , > Here is what the data will look after parsing: > sourcetype: cisco_acs > priority: 181 > timestamp: May 19th 2016 03:12:07 UTC > hostname: MDCNMSACS002 > category: Passed_Authentications > message_id: 0093197809 > total_segments: 2 > segment_number: 0 > event_timestamp: May 19th, 2016 03:12:07 UTC > sequence_number: 1214019921 > message_code: 5202 > severity: NOTICE > message_class: Device-Administration > message_text: Command Authorization succeeded > ACSversion: acs-5.8.0.32-B.442.x86_64 > ConfigVersionId: 2097 > device_ip_address: 10.0.0.0 > ip_dst_addr: 10.0.0.0 > ip_dst_port: 49 > username: hpng > CmdSet: [ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ] > ACS_Protocol: Tacacs > MatchedCommandSet: Unrestricted > RequestLatency: 5 > Type: Authorization > Privilege-Level: 15 > Authen-Type: ASCII > Service: None > ACS_User: hpng > ACS_Port: tty2 > Remote-Address: 10.0.0.0 > Authen-Method: None > Service-Argument: shell > AcsSessionID: MDCNMSACS002/242802909/91519025 > AuthenticationIdentityStore: Internal Users > AuthenticationMethod: Lookup > SelectedAccessService: TACACS > SelectedCommandSet: Unrestricted > IdentityGroup: IdentityGroup:AllGroups:HPNA-Device-Interaction > Steps: 13005, 15008, 15004, 15012, 15041, 15006, 15013, 24210, 24212, 22037, > 15044 -- This message was sent by Atlassian JIRA (v6.3.4#6332)