Some Cisco ASA logs resolve IP addresses to hosts
tomrade opened this issue · comments
Parsing the following ASA log message
%ASA-4-106100: access-list Soc_access_in permitted tcp Soc/Bnet-sgsl(59463) -> CORE/10.31.2.205(24050) hit-cnt 1 first hit [0xb670d3ef, 0x44504bdf]
the GROK PATTERN CISCOFW106100 fails do it it expecting src and dst IP addresses but in the case the src is Bnet-sgsl
Upstream Pattern
CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}(%{INT:src_port})((%{DATA:src_fwuser}))? -> %{DATA:dst_interface}/%{IP:dst_ip}(%{INT:dst_port})((%{DATA:src_fwuser}))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} [%{DATA:hashcode1}, %{DATA:hashcode2}]
"fixed" pattern using IPORHOST but this doesn't make sense for a field called "src_ip"
CISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IPORHOST:src_ip}(%{INT:src_port})((%{DATA:src_fwuser}))? -> %{DATA:dst_interface}/%{IPORHOST:dst_ip}(%{INT:dst_port})((%{DATA:src_fwuser}))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} [%{DATA:hashcode1}, %{DATA:hashcode2}]
I guess we could do (?%{IP:src_ip}|%{HOST:src_host})