Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 315

Chapter 15 Configuring Custom Devices
Figure 15-7
Step 16 In the above example, the Position refers to the position of each KEY-VALUE sub-pattern pair. These
KEY-VALUE sub-pattern pairs are concatenated in the order of their positions and used for matching
against the raw message in an event. It does allow arbitrary whitespace between KEY and VALUE
patterns, as well as between KEY-VALUE sub-patterns.
In the above example, the Key-Pattern is "Teardown" is a simple regular expression that does not have
Step 17
any wildcards or repetitions.
The Parsed Field is one of fields of a MARS event that has been fully parsed. In the above case, it is the
Step 18
protocol field.
The Value Type gives indication to the parser on what kind of value to expect so that suitable parsing
Step 19
action can be applied on the matching sub-pattern string. By "Choosing Protocol (String)" as the value
type above, we indicate that the protocol field is coming in the form of a string as defined in the file
/etc/protocols in a UNIX system. For example, "TCP" is the string that will be captured by the value
pattern. The Value Type will indicate that TCP is to be converted into its protocol number, 6.
Pattern Name is a mnemonic given to standard regular expression patterns available for the user who is
Step 20
specifying the log format. There are several common pre defined patterns with appropriate names. In the
edit box right below the Pattern Name list, a user can add new value names to identify value patterns
that may be commonly used in their logs. In the above figure, the value pattern captures all
word-character strings that may also include the characters '-', '/' and '+'.
78-17020-01
Define Pattern for a Log
Adding User Defined Log Parser Templates
User Guide for Cisco Security MARS Local Controller
15-7