3 Replies Latest reply on Dec 9, 2013 10:11 AM by mlev462251

    Parsing for syslog of Cisco

    lichnt

      Now i want parsing for event of cisco IOS(ASP)

      i have event STP of cisco IOS(ASP)

       

      01.png

      Now i parse:

       

      02.png

      03.png

      04.png

      05.png

      But it i recive new event from cisco IOS, rule parse . it is not work .

      If  i chosse :

      06.png

      rule pasre is work. But as it is not true, i want add rule parse with cisco ios(ASP)

      Help me .

      Thanks

        • 1. Re: Parsing for syslog of Cisco
          mlev462251

          Hi,

          I'm not sure what exactly do you want to achieve, but there is already a Cisco IOS rule that possibly does something similar:

          ***

          Rule Name: Cisco_IOS SPANTREE An interface has been added to all VLANs

          Signature ID: 1019972

          Normalization Name: Application Status

          Signature: any any any -> any any (msg:"Cisco_IOS SPANTREE An interface has been added to all VLANs"; content:"PORTADD"; map@severity:"1"="100","2"="90","3"="75","4"="50","5"="35","6"="15","7"="10"; event_action:16; pcre:"\x25([^\x2d]+).{0,20}\x2d(\d+)\x2d(PORTADD\x5fALL\x5fVLANS)\s*\x3a\s+.*?a dded\sto\sall\sVlans"; raw; var:AppID.AppID=${1:1}; var:severity=${1:2}; adsid:137; sid:611050972; )

          ***

           

          Why don't you take one of the existing rules and modifiy it and not create a new data source?

           

           

          Kind regards,

          Matija

          • 2. Re: Parsing for syslog of Cisco
            lichnt

            i try as you talk but it not work

            • 3. Re: Parsing for syslog of Cisco
              mlev462251

              Hm. Are you sure that your events do not get parsed by one of the built-in rules?