Tranbo
(Michael Tran)
December 22, 2023, 6:40pm
1
I have latest 5.2 + Ubuntu22043 Installed configured for Cisco ASA 5508 - Working great!
Need some pointer on how the extractor import works:
-Imported the extractor and it show up under the manage Extractor Section
-How do I start using these extractor? the input message stay the same - stop input and start have no effect.
Download the extractor from here
{
"extractors": [
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny tcp",
"converters": [],
"cursor_strategy": "copy",
"extractor_config": {
"grok_pattern": "%{IPORHOST:asa_dev} %ASA-\\d-(?<asa_messageid>106023): (?<asa_action>Deny) (?<asa_proto>tcp) src %{NOTSPACE:asa_interface_in}:%{IPV4:asa_src_ip}/%{BASE10NUM:asa_src_port} dst %{NOTSPACE:asa_interface_out}:%{IPV4:asa_dst_ip}/%{BASE10NUM:asa_dst_port} by access-group %{QUOTEDSTRING:asa_accesslist}"
},
"extractor_type": "grok",
"order": 0,
"source_field": "message",
"target_field": "message",
"title": "ASA TCP Denies"
},
{
"condition_type": "regex",
"condition_value": "(^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])) %ASA-\\d-106023: Deny udp",
"converters": [],
This file has been truncated. show original
ramindia
(R!)
December 23, 2023, 3:32pm
2
Once you imported the extractor
follow below video how you can use that extractor
In this Graylog tech series video we’re going to learn how to extract valuable data from JSON responses using JSON extractors. We will briefly teach you how to set them up, correctly configure them, and do some parsing. USING JSON EXTRACTORS TO...
Est. reading time: 3 minutes
system
(system)
Closed
January 6, 2024, 3:33pm
3
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.