There are tons of Cisco ASA content packs out there but we have decided to roll our own. Mostly to learn and also to add a bit of flexibility.
Everything is working great but we are now looking into streamlining the pipeline. Right now we just have 1 massive grok lookup which we want to break apart. Our problem is we don’t want to make tons of pipeline rules either. Any recommendations to break this up into something efficient.
rule “ASA syslog/UDP raw log”
when
has_field(“message”)
then
let raw_log = to_string($message.message);
let header = grok(pattern:"%{CISCOTAG:ciscotag}: (%{CISCOFW104001}|%{CISCOFW104002}|%{CISCOFW104003}|%{CISCOFW104004}|%{CISCOFW105003}|%{CISCOFW105004}|%{CISCOFW105005}|%{CISCOFW105008}|%{CISCOFW106100}|%{CISCOFW106100_2_3}|%{CISCOFW106001}|%{CISCOFW106023}|%{CISCOFW113003}|%{CISCOFW113004}|%{CISCOFW113005}|%{CISCOFW113008}|%{CISCOFW113009_113011}|%{CISCOFW113014}|%{CISCOFW113015}|%{CISCOFW113019}|%{CISCOFW113022_3}|%{CISCOFW113039}|%{CISCOFW313005}|%{CISCOFW401004}|%{CISCOFW419001}|%{CISCOFW419002}|%{CISCOFW434002}|%{CISCOFW500004}|%{CISCOFW507003}|%{CISCOFW710001_710002_710003_710005_710006}|%{CISCOFW722037}|%{CISCOFW733100}|%{CISCOFW733100}|%{CISCOFW733102}|%{CISCOFW733103})|(%{CISCOTAG:ciscotag}: %{GREEDYDATA:cisco_message})", value: raw_log,only_named_captures: true);
set_fields(header);
end
You can see the full content pack on the link below
Thanks fellas.