Adding User Defined Log Parser Templates
Figure 15-6
Step 12
Click Add to input patterns.
The parsing patterns for the example above are specified to match the following example raw message
reported in an event.
Teardown TCP connection 1000 faddr 67.126.151.132/80 gaddr 198.133.219.28/43246 laddr
10.1.1.30/890 (sudha) duration 01:00:02 bytes 1000000 (TCP FINs)
Step 13
The first step is to identify the values in the log that need to be parsed and stored in MARS events.
Currently MARS supports the following parsed value fields in its events:
Step 14
Source address
•
Destination address
•
Source port
•
Destination Port
•
Protocol
•
•
NAT Source address
•
NAT Destination address
NAT Source port
•
NAT Destination Port
•
NAT Protocol
•
Device Time stamp
•
Session Duration
•
Received Time stamp
•
•
Exchanged Bytes
•
Reported User
The parsing format can now be thought of as being made up of several KEY pattern followed by VALUE
Step 15
patterns. Both KEY and VALUE patterns are regular expressions based on the library PCRE which is
perl-compatible regular expressions
syntax). Note that a KEY can be an empty string. A log format consists of several KEY-VALUE
sub-pattern pairs.
User Guide for Cisco Security MARS Local Controller
15-6
Define Event Patterns
(Appendix B, "Regular Expression Reference."
Chapter 15
Configuring Custom Devices
for details on
78-17020-01