Tranbo
December 22, 2023, 6:40pm
1
I have latest 5.2 + Ubuntu22043 Installed configured for Cisco ASA 5508 - Working great!
{
"extractors": [
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny tcp",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<asa_proto>tcp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA TCP Denies"
},
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny udp",
"converters": [],
show original
ramindia
December 23, 2023, 3:32pm
2
Once you imported the extractor
follow below video how you can use that extractor
In this Graylog tech series video we’re going to learn how to extract valuable data from JSON responses using JSON extractors. We will briefly teach you how to set them up, correctly configure them, and do some parsing. USING JSON EXTRACTORS TO...
Est. reading time: 3 minutes
