sponnusa / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 2 forks source link

Documentation - Adding Parsers #105

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Elsa Rev: 708

The example on how to test parses does not seem to work. I want to have my ASA 
log messages parsed so that it will recognize source and destination on 
messages that looks like this message:

Ex.1
Deny TCP (no connection) from DMZ2050-10.100.50.22-lentdbtest/5666 to 
DMZ2199-10.100.199.21-gios-Live/56200 flags RST on interface DMZ2050-SYS-lent

Ex.2
Deny inbound UDP from 193.88.160.162/137 to 192.168.4.11/137 on interface Inside

Test from the documenation message that does not work:

root@logger:~# /usr/local/syslog-ng/bin/pdbtool test -p 
/usr/local/elsa/node/conf/patterndb.xml
Error parsing command line arguments: Unknown option -p
root@logger:~#
root@logger:~#
root@logger:~# /usr/local/syslog-ng/bin/pdbtool match -p 
/usr/local/elsa/node/conf/patterndb.xml -P test_prog -M "source_ip 1.1.1.1 sent 
50 bytes to destination_ip 2.2.2.2 from user joe"
MESSAGE=source_ip 1.1.1.1 sent 50 bytes to destination_ip 2.2.2.2 from user joe
PROGRAM=test_prog
.classifier.class=unknown

Original issue reported on code.google.com by jacobrav...@gmail.com on 12 Mar 2013 at 2:33

GoogleCodeExporter commented 9 years ago
Did you write a new parser, or are you testing to see if the existing parsers 
work to parse your ASA messages?  You should be testing with the actual 
messages (your example 1 and 2) instead of the "test_prog" and "source_ip..." 
text.  Make sure to use the actual program name sent like "%ASA-102030" or 
whatever it is.

Original comment by mchol...@gmail.com on 12 Mar 2013 at 5:04

GoogleCodeExporter commented 9 years ago
I want to write new parser, but i guess i don'r fully understand how this is 
done. The Cisco ASA logs i are getting are not all parsed.

Are there a online tool that can help me create the correct parser?

Original comment by jacobrav...@gmail.com on 13 Mar 2013 at 6:15

GoogleCodeExporter commented 9 years ago
No, there's no online tool right now to help.  However, based on the examples 
you listed, I've gone ahead and created three more ASA deny patterns.  If you 
update your log node with sh install.sh node update, your ELSA will use the 
latest pattern.  Please let me know if it doesn't work.

Original comment by mchol...@gmail.com on 13 Mar 2013 at 7:10

GoogleCodeExporter commented 9 years ago
Nice :-) , just updated, and there are some more logs that are not being parsed

Deny IP spoof from (0.0.0.0) to 10.6.128.5 on interface Management

Deny inbound icmp src TransportNet:172.27.10.42 dst TransportNet:10.0.180.1 
(type 8, code 0)

Deny TCP (no connection) from 87.55.209.68/55663 to 217.28.161.203/52983 flags 
FIN ACK on interface outside

Deny TCP (no connection) from 173.193.205.198/80 to 217.28.161.79/48165 flags 
SYN ACK on interface outside

Deny IP from 10.0.8.49 to 239.203.13.64, IP options: "Router Alert"

Original comment by jacobrav...@gmail.com on 13 Mar 2013 at 10:38

GoogleCodeExporter commented 9 years ago
Ok, I've just updated the patterndb.xml to cover those as well.  For
reference, the patterns I've added thus far are:

<pattern>Deny @ESTRING:i0: @@ESTRING::from
@@ESTRING:s0:-@@ESTRING:i1:-@@ESTRING::/@@ESTRING:i2:
@to @ESTRING:s1:-@@ESTRING:i3:-@@ESTRING::/@@ESTRING:i4: @</pattern>
<pattern>Deny inbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to
@ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
<pattern>Deny outbound @ESTRING:i0: @from @ESTRING:i1:/@@ESTRING:i2: @to
@ESTRING:i3:/@@ESTRING:i4: @on interface @ANYSTRING:s0:@</pattern>
<pattern>Deny IP spoof @ESTRING::to @@ESTRING:i3: @on interface
@ANYSTRING:s0:@</pattern>
<pattern>Deny inbound @ESTRING:i0: @src @ESTRING:s0::@@ESTRING:i1: @dst
@ESTRING:s1::@@ESTRING:i3: @</pattern>
<pattern>Deny @ESTRING:i0: @@ESTRING::from @@ESTRING:i1:/@@ESTRING:i2: @to
@ESTRING:i3:/@@ESTRING:i4: @@ESTRING::interface @@ANYSTRING:s0:@</pattern>
<pattern>Deny IP from @ESTRING:i1: @to @ESTRING:i3: @</pattern>

On Wed, Mar 13, 2013 at 5:38 PM, <
enterprise-log-search-and-archive@googlecode.com> wrote:

Original comment by mchol...@gmail.com on 14 Mar 2013 at 2:22

GoogleCodeExporter commented 9 years ago
Please create pattern for this log entry, username must be indexed
Teardown dynamic TCP translation from Inside:10.1.0.9/61894(DOMAIN\wali) to 
Outside:217.28.164.241/61894 duration 0:11:32

Built outbound TCP connection 267134428 for Outside:10.16.1.21/443 
(10.16.1.21/443) to Inside:10.0.209.31/63650 (10.0.209.31/63650)(DOMAIN\jbho)

Deny tcp src Inside:10.0.139.191/54620(DOMAIN\sccmclient) dst 
Outside:10.0.12.164/445 by access-group "CSM_FW_ACL_Inside" [0xa900b3db, 0x0]

Deny inbound icmp src Outside:10.0.11.78(DOMAIN\angr) dst Outside:172.16.8.113 
(type 8, code 0)

Original comment by jacobrav...@gmail.com on 29 Mar 2013 at 11:40

GoogleCodeExporter commented 9 years ago
Please check your documentation in regards to the commandline method for 
testing new parsers, and past the result here.

Could you please tell me what the name is for kind of parsers, ex. RegEX. Or 
point to website where i can learn more about how to create new parsers

Original comment by jacobrav...@gmail.com on 11 Apr 2013 at 8:22