metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Sirota (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (METRON-176) Create Cisco-ACS parser
Date Thu, 02 Jun 2016 05:38:59 GMT

     [ https://issues.apache.org/jira/browse/METRON-176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James Sirota updated METRON-176:
--------------------------------
    Assignee: Casey Stella

> Create Cisco-ACS parser
> -----------------------
>
>                 Key: METRON-176
>                 URL: https://issues.apache.org/jira/browse/METRON-176
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Deeptaanshu Kumar
>            Assignee: Casey Stella
>              Labels: ParserExtension
>
> I will be creating a parser to handle Cisco-ACS logs.
> Here are is a sample log:
> <181>May 18 23:12:07 MDCNMSACS002 CSCOacs_Passed_Authentications 0093197809 2 0
2016-05-18 23:12:07.001 -04:00 1214019921 5202 NOTICE Device-Administration: Command Authorization
succeeded, ACSVersion=acs-5.8.0.32-B.442.x86_64, ConfigVersionId=2097, Device IP Address=10.0.0.0,
DestinationIPAddress=10.0.0.0, DestinationPort=49, UserName=hpna, CmdSet=[ CmdAV=dir CmdArgAV=cns:
CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unrestricted, RequestLatency=5,
Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=hpna, Port=tty2,
Remote-Address=10.0.0.0, Authen-Method=None, Service-Argument=shell, AcsSessionID=MDCNMSACS002/242802909/91519025,
AuthenticationIdentityS    tore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=TACACS,
SelectedCommandSet=Unrestricted, IdentityGroup=IdentityGroup:All Groups:HPNA-Device-Interaction,
Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 ,
Step=24210 , Step=24212 , Step=22037 , Step=15044 ,
> Here is what the data will look after parsing:
> sourcetype: cisco_acs
> priority: 181
> timestamp: May 19th 2016 03:12:07 UTC
> hostname: MDCNMSACS002
> category: Passed_Authentications
> message_id: 0093197809
> total_segments: 2
> segment_number: 0
> event_timestamp: May 19th, 2016 03:12:07 UTC
> sequence_number: 1214019921
> message_code: 5202
> severity: NOTICE
> message_class: Device-Administration
> message_text: Command Authorization succeeded
> ACSversion: acs-5.8.0.32-B.442.x86_64
> ConfigVersionId: 2097
> device_ip_address: 10.0.0.0
> ip_dst_addr: 10.0.0.0
> ip_dst_port: 49
> username: hpng
> CmdSet: [ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ]
> ACS_Protocol: Tacacs
> MatchedCommandSet: Unrestricted
> RequestLatency: 5
> Type: Authorization
> Privilege-Level: 15
> Authen-Type: ASCII
> Service: None
> ACS_User: hpng
> ACS_Port: tty2
> Remote-Address: 10.0.0.0
> Authen-Method: None
> Service-Argument: shell
> AcsSessionID: MDCNMSACS002/242802909/91519025
> AuthenticationIdentityStore: Internal Users
> AuthenticationMethod: Lookup
> SelectedAccessService: TACACS
> SelectedCommandSet: Unrestricted
> IdentityGroup: IdentityGroup:AllGroups:HPNA-Device-Interaction
> Steps: 13005, 15008, 15004, 15012, 15041, 15006, 15013, 24210, 24212, 22037, 15044



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message