VMware Cloud Community
TzeShengTang
VMware Employee
VMware Employee
‎11-12-2015 12:30 AM

Modify Cisco ASA Content Pack to support emblem log format

Greeting:

We are processing Cisco ASA firewall log with Log Insight 3.0, we've learned that Cisco ASA can configured two log format:

(1) Default: The severity class field look like '%ASA-6-123456'

(2) EMBLEM: The severity class field look like '%ASA-session-6-123456' where the 'session' string indicate the source component is session.

However using current Cisco ASA Content Pack, it only display Default log format despite the syslog source of ASA firewall send out is EMBLEM format, we hope the content pack can correctly display and process EMBLEM-format log entries instead of only Default format.

We deep-dived Cisco ASA Content Pack, look into Extracted Field' and found the Regex of 'cisco_asa_severity' is '%ASA\-\d\-\d{6}\':` which explain the behavior.

We wish to modify the content pack, add one entry like 'cisco_asa_severity_emblem' as '%ASA\-\S\-\d\-\d${6}\:' in order to correctly display/process EMBLEM log entries, however we have no idea how to modify content pack and add items we expected, can any one kindly advise how we can do it? Thanks in advance.

The following is an example of real EMBLEM log entry:

<134>:Nov 11 10:49:10 HKST: %ASA-session-6-302014: Teardown TCP connection 1452659824 for outside:10.121.10.81/55149 to Server40:10.20.40.222/8080 duration 0:00:00 bytes 741 TCP FINs

---- Jason Tang

0 Kudos
2 Replies
billrothjr
VMware Employee
VMware Employee
‎11-12-2015 07:11 AM

Jason,

  Add this as a feature request for the future at http://loginsight.vmware.com. For now, I'd set it up to use the version which does not contain the session id.

Bill Roth

------
Bill Roth, VMware
0 Kudos
admin
Immortal
Immortal
‎11-12-2015 09:46 AM

Hello Jason,

If you want to create a derivitive extracted field definition in your environment: Click the magnifying glass beside the existing 'cisco_asa_severity' field and Duplicate it. Change the name and regex as you described and click Save.

If you want that local customization to be available in a local copy of the content pack for backup purposes or for importing on other Log Insight clusters: Export the existing content pack to a VLCP file, import that back in to My Content alongside your custom field, then export a new content pack. Select both your custom field plus the other definitions which came from the original content pack.

If you want a new extracted field to be added to the upstream content pack: VMware or Cisco will have to do that. I'm tracking this request for enhancement as #1552639. yogitap

No feature request is needed.

0 Kudos