</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">-------------------------------------------
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
</collectFieldsByRegex>
</when>
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
</collectFieldsByRegex>
</when>
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
</collectFieldsByRegex>
</when>
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
This is a bit tough when the vendor's log is putting two different types of data into the same field. What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other. For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+". "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+ (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser. I would then just have two CollectFieldsbyRegex statements to catch each condition.
Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
</collectFieldsByRegex>
</when>
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
This is a bit tough when the vendor's log is putting two different types of data into the same field. What you have to determine first is whether or not there is always something in that field that could help you identify it as one or the other. For instance, in your example, John-computer.domain.com in regex would be "\w+-\w+.\w+.\w+". "John Last" would simply be "\w+ \w+" Since gPatWord is basically a \w+ (e.g. <pattern name="gPatWord"><![CDATA[\w+]]></pattern>), you could string these together to match the text or make your own pattern definition at the top of the parser. I would then just have two CollectFieldsbyRegex statements to catch each condition.
Now, you need to make sure it's always John[space]Last or John[dash]computer[dot]domain[dot]com, if there are other formats of data coming in, it obviously won't work.
<when test="$_evtId = '722011'">
<when test="$_evtId = '313005'">
<!-- <132>Feb 04 2019 02:44:46 ACFASA : %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:172.20.1.1 dst outside:143.215.130.61 (type 11, code 0) on inside interface. Original IP payload: tcp src 143.215.130.61/80 dst 172.16.200.159/37616. -->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[icmp src <srcIntfName:gPatStrEndColon>:<_srcStr:gPatStr> dst <destIntfName:gPatStrEndColon>:<_destStr:gPatStr>]]></regex>
</collectFieldsByRegex>
</when>
</when>
<when test="$_evtId = '111009'">
<!-- <135>Apr 09 2012 18:20:19: %ASA-7-111009: User 'joeUser' executed cmd: show startup-config -->
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[User '<user:gPatStrSQ>' executed cmd:\s+<command:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
</when>
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.