Cisco ACE Flexconnector

Document created by conesh.scitum on Jan 10, 2017
Version 1Show Document
  • View in full screen mode

Hi Everyone,

I would like to share with you my flexconnector config for the CISCO ACE, before I created it I tried to look for it here without luck.

 

Here's the code:

 

You need to name the file "ciscoace.subagent.sdkrfilereader.properties" and add it to the ../current/user/agent/flexagent/syslog on the Smartconnector path.

 

This is the code:

-----------------------------------------------START--------------------------------------------------

# FlexAgent Regex Configuration File

do.unparsed.events=true

 

 

regex=(\\S+\\s+\\d+ \\d\\d\\d\\d \\d\\d\:\\d\\d\:\\d\\d) (\\S+) %ACE\\-(\\d+)\\-(\\d+)\: (.*)

 

 

token.count=10

 

 

token[0].name=fecha

token[0].type=String

 

 

token[1].name=hostname

token[1].type=String

 

 

token[2].name=severidad

token[2].type=String

 

 

token[3].name=evento

token[3].type=String

 

 

token[4].name=Message

token[4].type=String

 

 

token[5].name=mensaje

token[5].type=String

 

 

token[6].name=targetip

token[6].type=String

 

 

token[7].name=targetport

token[7].type=String

 

 

token[8].name=intentos

token[8].type=String

 

 

token[9].name=razon

token[9].type=String

 

 

 

 

submessage.messageid.token=evento

submessage.token=Message

 

 

 

 

 

 

event.deviceSeverity=severidad

event.deviceVendor=__getVendor(CISCO)

event.deviceProduct=__stringConstant(ACE)

event.deviceHostName=hostname

event.name=Message

event.deviceEventClassId=evento

 

 

 

 

#l10n.filename.prefix=

 

 

submessage.count=7

 

 

submessage[0].messageid=251014

submessage[0].pattern.count=2

submessage[0].pattern[0].regex=(Could not probe server) (\\d+\\.\\d+\\.\\d+\\.\\d+) on port (\\d+) for (\\d+ consecutive tries \\- Internal error)

submessage[0].pattern[0].fields=event.name,event.destinationPort,event.destinationHostName,event.message

submessage[0].pattern[0].mappings=$1|$3|$2|$4

 

 

submessage[0].pattern[1].regex=\ Could not probe server (\\d+\\.\\d+\\.\\d+\\.\\d+) on port (\\d+) for (\\d+) consecutive tries \\- Internal error

submessage[0].pattern[1].fields=event.name

 

 

 

 

submessage[1].messageid=251011

submessage[1].pattern.count=1

submessage[1].pattern[0].regex=\ (ICMP|TCP|UDP) health probe failed for server (\\d+\\.\\d+\\.\\d+\\.\\d+), (.*)

submessage[1].pattern[0].fields=event.name

 

 

 

 

submessage[2].messageid=251009

submessage[2].pattern.count=2

submessage[2].pattern[0].regex=\ (ICMP|TCP|UDP) health probe failed for server (\\d+\\.\\d+\\.\\d+\\.\\d+), connectivity error\: (.+)

submessage[2].pattern[0].fields=event.name

 

 

submessage[2].pattern[1].regex=(ICMP health probe failed) for server (\\d+\\.\\d+\\.\\d+\\.\\d+), (connectivity error\: .*)

submessage[2].pattern[1].fields=event.name,event.destinationHostName,event.message

 

 

 

 

submessage[3].messageid=251008

submessage[3].pattern.count=1

submessage[3].pattern[0].regex=(Health probe failed) for server (\\d+\\.\\d+\\.\\d+\\.\\d+) on port (\\d+), (connectivity error\: server open timeout \\(no SYN ACK\\))

submessage[3].pattern[0].fields=event.name,event.destinationPort,event.message,event.destinationHostName

submessage[3].pattern[0].mappings=$1|$3|$4|$2

 

 

 

 

submessage[4].messageid=251010

submessage[4].pattern.count=1

submessage[4].pattern[0].regex=(Health probe failed) for server (\\d+\\.\\d+\\.\\d+\\.\\d+) on port (\\d+), (.*)

submessage[4].pattern[0].fields=event.name,event.destinationHostName,event.destinationPort,event.message

 

 

 

 

submessage[5].messageid=442002

submessage[5].pattern.count=1

submessage[5].pattern[0].regex=(Health probe \\S+) detected (\\S+) \\(interface (\\S+)\\) in serverfarm (\\S+) (changed state to DOWN)

submessage[5].pattern[0].fields=event.name,event.deviceCustomString1,event.deviceOutboundInterface,event.message,event.destinationHostName

submessage[5].pattern[0].mappings=$1|$4|$3|$5|$2

 

 

 

 

submessage[6].messageid=442001

submessage[6].pattern.count=1

submessage[6].pattern[0].regex=(Health probe \\S+) detected (\\S+) \\(interface (\\S+)\\) in serverfarm (\\S+) (changed state to UP)

submessage[6].pattern[0].fields=event.name,event.deviceCustomString1,event.deviceOutboundInterface,event.message,event.destinationHostName

submessage[6].pattern[0].mappings=$1|$4|$3|$5|$2

 

----------------------------END------------------------

Then you need to modify the smartconnector parameters:

agents[0].customsubagentlist=flexagent_syslog|ciscopix_syslog|netscreen_syslog|cyberguard_syslog|niksun_syslog|sourcefire_syslog|intrushield_syslog|ciscovpnios_syslog|sonicwall_syslog|apache_syslog|netscreen_idp_syslog|ciscovpnnoios_syslog|attackmitigator_syslog|rsaace_syslog|ciscoaironet_syslog|ciscoworks_syslog|ciscorouter_syslog|nortelvpn_syslog|pf_syslog|coreguard_syslog|watchguard_syslog|fortigate_syslog|peakflow_syslog|honeyd_syslog|neoteris_syslog|prosafe_syslog|trushield_syslog|alcatel_syslog|extreme_syslog|tippingpoint_syslog|nokiasecurityplatform_syslog|whatsup_syslog|airdefense_syslog|stealthwatch_syslog|nagios_syslog|netcontinuum_syslog|cef_syslog|tlattackmitigator_ng_syslog|airmagnet_enterprise_syslog|manhunt_syslog|m40e_aspic_syslog|ironmail_syslog|ciscorouter_nonios_syslog|ingrian_syslog|nitrosecurity_syslog|junipernetscreenvpn_syslog|catos_syslog|ipolicy_syslog|symantecnetworksecurity_syslog|bigiron_syslog|type80_syslog|miragecounterpoint_syslog|newbury_syslog|packetalarm_syslog|cyberguard6_syslog|neowatcher_syslog|netkeeper_syslog|snare_syslog|ntsyslog_syslog|f5bigip_syslog|sms_syslog|ciscocss_syslog|barracuda_spamfw_syslog|radware_defensepro_syslog|barracuda_spamfw_ng_syslog|bluecoatsg_syslog|peakflowx_syslog|aruba_syslog|mcafeesig_syslog|stonegate_syslog|ciscosecureacs_syslog|tripwire_enterprise_7_7_syslog|tripwire_enterprise_syslog|datagram_iis_syslog|oracle_audit_syslog|sms7x_syslog|messagegate_syslog|cyberguard52_syslog|symantecendpointprotection_syslog|cisco_mse|junipernetscreenvpn_6x_syslog|netscreen_idp5_syslog|bsm_syslog|junipernetscreenvpn_keyvalue_syslog|citrix_syslog|linux_auditd_syslog|netappfiler_syslog|vmwareesx_syslog|ciscoise_monitoringaudit_syslog|aixaudit_syslog|junos_syslog|junos_sdsyslog|type80v3_syslog|vormetricdatasecurity_syslog|citrixnetscaler_syslog|tippingpoint_sms_2_5_syslog|tippingpoint_sms_audit_syslog|tippingpoint_device_audit_syslog|vmwareesx_4_1_syslog|infobloxnios_syslog|proofpoint_syslog|ciscoairspace76_syslog|ciscoise_syslog|hpprinter_syslog|hp_c7000_syslog|pulseconnectsecure_syslog|pulseconnectsecure_keyvalue_syslog|snare_syslog_heartbeat|ilo_syslog|ironport_syslog|sidewinder_syslog|gauntlet_syslog|sendmail_syslog|nsm_syslog|nsm2009_syslog|ciscosecureacs51_syslog|hph3c_syslog|hpprocurve_syslog|hp_ux_syslog|checkpoint_syslog|generic_syslog|ciscoairspace_syslog

 

agents[0].usecustomsubagentlist=true

agents[0].unparsedevents.log.enabled=true

 

As you can see I removed the NX_OS and add the flexagent to the first match, the I changed the usecumtomsubagentlist to true (to enable the flexagent) and changed to true the unparsedevents.log.enabled to log all unparsed events.

 

**** Be sure to change the file permissions (ciscoace.subagent.sdkrfilereader.properties) to the user that runs the connector: chown <user>:<user> ciscoace.subagent.sdkrfilereader.properties

 

Be sure to check the syslog.properties file looking for the ip address of your ACE to be sure that it has the correct syslog parser: flexagent_syslog,<ip address>\

In case it doesn't you can delete the entry.

 

I hope this helps, in case you have any comments please let me know.

 

Alfonso.

Attachments

    Outcomes