[jira] [Updated] (METRON-176) Create Cisco-ACS parser

Wed, 02 Nov 2016 12:15:56 -0700 

     [ 
https://issues.apache.org/jira/browse/METRON-176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Casey Stella updated METRON-176:
--------------------------------
    Fix Version/s:     (was: 0.2.2BETA)

> Create Cisco-ACS parser
> -----------------------
>
>                 Key: METRON-176
>                 URL: https://issues.apache.org/jira/browse/METRON-176
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Deeptaanshu Kumar
>            Priority: Minor
>              Labels: ParserExtension, platform
>
> I will be creating a parser to handle Cisco-ACS logs.
> Here are is a sample log:
> <181>May 18 23:12:07 MDCNMSACS002 CSCOacs_Passed_Authentications 0093197809 2 
> 0 2016-05-18 23:12:07.001 -04:00 1214019921 5202 NOTICE 
> Device-Administration: Command Authorization succeeded, 
> ACSVersion=acs-5.8.0.32-B.442.x86_64, ConfigVersionId=2097, Device IP 
> Address=10.0.0.0, DestinationIPAddress=10.0.0.0, DestinationPort=49, 
> UserName=hpna, CmdSet=[ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ], 
> Protocol=Tacacs, MatchedCommandSet=Unrestricted, RequestLatency=5, 
> Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, 
> User=hpna, Port=tty2, Remote-Address=10.0.0.0, Authen-Method=None, 
> Service-Argument=shell, AcsSessionID=MDCNMSACS002/242802909/91519025, 
> AuthenticationIdentityS    tore=Internal Users, AuthenticationMethod=Lookup, 
> SelectedAccessService=TACACS, SelectedCommandSet=Unrestricted, 
> IdentityGroup=IdentityGroup:All Groups:HPNA-Device-Interaction, Step=13005 , 
> Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , 
> Step=24210 , Step=24212 , Step=22037 , Step=15044 ,
> Here is what the data will look after parsing:
> sourcetype: cisco_acs
> priority: 181
> timestamp: May 19th 2016 03:12:07 UTC
> hostname: MDCNMSACS002
> category: Passed_Authentications
> message_id: 0093197809
> total_segments: 2
> segment_number: 0
> event_timestamp: May 19th, 2016 03:12:07 UTC
> sequence_number: 1214019921
> message_code: 5202
> severity: NOTICE
> message_class: Device-Administration
> message_text: Command Authorization succeeded
> ACSversion: acs-5.8.0.32-B.442.x86_64
> ConfigVersionId: 2097
> device_ip_address: 10.0.0.0
> ip_dst_addr: 10.0.0.0
> ip_dst_port: 49
> username: hpng
> CmdSet: [ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ]
> ACS_Protocol: Tacacs
> MatchedCommandSet: Unrestricted
> RequestLatency: 5
> Type: Authorization
> Privilege-Level: 15
> Authen-Type: ASCII
> Service: None
> ACS_User: hpng
> ACS_Port: tty2
> Remote-Address: 10.0.0.0
> Authen-Method: None
> Service-Argument: shell
> AcsSessionID: MDCNMSACS002/242802909/91519025
> AuthenticationIdentityStore: Internal Users
> AuthenticationMethod: Lookup
> SelectedAccessService: TACACS
> SelectedCommandSet: Unrestricted
> IdentityGroup: IdentityGroup:AllGroups:HPNA-Device-Interaction
> Steps: 13005, 15008, 15004, 15012, 15041, 15006, 15013, 24210, 24212, 22037, 
> 15044



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to