You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I hope this can be of help. I wrote custom patterns for 90 different message IDs for Cisco ASA 5525X used as a VPN concentrator. Messages with severity code 6 or lower are parsed for multiple fields of interest. Severity code 7 messages are primarily parsed for group, ip, and user only. A few IDs have no values of interest and are matched without parsing so as to eliminate tags for grok parse failure.
I named the patterns from the message ID portion of the "ciscotag" field. ie. ciscotag:ASA-7-713169 would match pattern ASA_713169. Some message IDs occur in multiple severity levels.
NOTE: ASA_713906_1, and ASA_713906_2 encompass 15 different possible formats! (In my config, the other messages are matched if [ciscotag] != "ASA-7-713906, and these are matched if [ciscotag == "ASA-7-713906”.)
The text was updated successfully, but these errors were encountered:
For Logstash 1.5.0, we've moved all plugins to individual repositories, so I have moved this issue to logstash-plugins/logstash-patterns-core#38. Let's continue the discussion there! :)
Hello,
I hope this can be of help. I wrote custom patterns for 90 different message IDs for Cisco ASA 5525X used as a VPN concentrator. Messages with severity code 6 or lower are parsed for multiple fields of interest. Severity code 7 messages are primarily parsed for group, ip, and user only. A few IDs have no values of interest and are matched without parsing so as to eliminate tags for grok parse failure.
I named the patterns from the message ID portion of the "ciscotag" field. ie. ciscotag:ASA-7-713169 would match pattern ASA_713169. Some message IDs occur in multiple severity levels.
Patterns -> http://pastebin.com/7iW8HB7g
Logstash config -> http://pastebin.com/32xGAEuB
NOTE: ASA_713906_1, and ASA_713906_2 encompass 15 different possible formats! (In my config, the other messages are matched if [ciscotag] != "ASA-7-713906, and these are matched if [ciscotag == "ASA-7-713906”.)
The text was updated successfully, but these errors were encountered: