Advertisement
<matcher field="DestinationPort" order="1" pattern-id="DestinationIp" capture-group="2" />
<matcher field="Protocol" order="1" pattern-id="Protocol" capture-group="1" />
<matcher field="Protocol" order="2" pattern-id="Protocol_6" capture-group="TCP"
enable-substitutions="true"/>
<event-match-multiple pattern-id="EventNameId" capture-group-index="1"
device-event-category="Cisco Firewall"/>
</match-group>
</device-extension>
The above extension document example demonstrates some of the basic aspects
of parsing:
IP addresses
•
Ports
•
Protocol
•
•
Multiple fields using the same pattern with different groups
This example parses all FWSM events that follow the specified pattern, although
the fields that are parsed may not be present in those events (if the events include
different content).
The information that was necessary to create this configuration that was not
available from the event:
The event name is only the last six digits (
•
%FWSM-session-0-302015
The FWSM has a hard-coded device type category of
•
The FWSM uses the Cisco Pix QID and therefore includes the
•
device-type-id-override="6"
firewall's device type ID is 6, see
If the QID information is not specified or is unavailable, you can modify the event
mapping using the Event Viewer. For more information, see the Modifying Event
Mapping section in the STRM Users Guide.
An event name and a device event category is required when looking for the event
in the QID. This device event category is a grouping parameter within the database
that helps define like events within a device. The
end of the match group includes hard-coding of the category. The
event-match-multiple
name to match up to six digits. This pattern is not run against the full payload, just
that portion parsed as the EventName field.
The EventName pattern references the
FWSM events contain the
followed by any number (zero or more) of letters and dashes. This pattern
%FWSM
match resolves the word
name that needs to removed. The event severity (according to Cisco), followed by
302015
portion of the event.
parameter in the match group (the Pix
Table
6).
uses the EventNameId pattern on the parsed event
%FWSM
portion. The pattern in the example matches
%FWSM
that is embedded in the middle of the event
session
Creating Extension Documents
) of the
Cisco Firewall
event-match-multiple
portion of the events; all Cisco
Release 2008.2
9
.
at the
Advertisement
Related Manuals for Juniper JUNIPER NETWORKS STRM - TECHNICAL NOTE REV 6-2008
Related Products for Juniper JUNIPER NETWORKS STRM - TECHNICAL NOTE REV 6-2008
- Juniper JUNOS - NETWORK OPERATION GUIDE REV1
- Juniper JUNOSE 11.1.0 - REV 4-29-2010
- Juniper MEDIA FLOW CONTROLLER 2.0.5 - S REV 15-11-2010
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - E120 AND E320 MODULE GUIDE REV 01-10-2010
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - E120 AND E320 HARDWARE GUIDE REV 9-29-2010
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - ERX MODULE GUIDE REV 27-9-2010
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - ERX HARDWARE GUIDE REV 26-9-2010
Need help?
Do you have a question about the JUNIPER NETWORKS STRM - TECHNICAL NOTE REV 6-2008 and is the answer not in the manual?
Questions and answers