Some Cisco ASA logs resolve IP addresses to hosts

Question

Some Cisco ASA logs resolve IP addresses to hosts

tomrade opened this issue 6 years ago · comments

Parsing the following ASA log message
%ASA-4-106100: access-list Soc_access_in permitted tcp Soc/Bnet-sgsl(59463) -> CORE/10.31.2.205(24050) hit-cnt 1 first hit [0xb670d3ef, 0x44504bdf]

the GROK PATTERN CISCOFW106100 fails do it it expecting src and dst IP addresses but in the case the src is Bnet-sgsl

Upstream Pattern
CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}(%{INT:src_port})((%{DATA:src_fwuser}))? -> %{DATA:dst_interface}/%{IP:dst_ip}(%{INT:dst_port})((%{DATA:src_fwuser}))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} [%{DATA:hashcode1}, %{DATA:hashcode2}]

"fixed" pattern using IPORHOST but this doesn't make sense for a field called "src_ip"

CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IPORHOST:src_ip}(%{INT:src_port})((%{DATA:src_fwuser}))? -> %{DATA:dst_interface}/%{IPORHOST:dst_ip}(%{INT:dst_port})((%{DATA:src_fwuser}))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} [%{DATA:hashcode1}, %{DATA:hashcode2}]

Thomas · Answer 1 · Thu Mar 22 2018 20:40:19 GMT+0800 (China Standard Time)

I guess we could do (?%{IP:src_ip}|%{HOST:src_host})