MonitorWare Knowledge Base

Hi Guys

Ive got the regex for Cisco pix as being
regexp=(?P<date>\SYSLOG_DATE)\s*(?P<sensor>[^\s]*).*:.*?(PIX|ASA)-\d-(?P<sid>\d+):.*?(from|src|for inside|for outside|src inside|src outside).*?(?P<src>\IPv4)(\/(?P<sport>\d+))?.*?(dst|to inside|to outside|dst inside|dst outside).*?(?P<dst>\IPv4)(\/(?P<dport>\d+))?

how do i configure the rsyslog.conf that a message conforms to the above regex then it must insert into mysql.SystemEvents table?\

Please help

Thanks
Stuart

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Check out: http://kb.monitorware.com/cisco-pix-asa-logging-starter-t8720.html

It only has a few examples, but that's all I needed. As best as I can figure you have to filter by the identifiers I.E. ASA-7-106100, etc... It's kinda crude but it does work. If you do find a better way please post it!!!

Hope it helps,

thanks that did work
however i need 1 more field from it. i need the message id
%PIX-5-106100: access-list acl-inside permitted udp inside/100.1.1.1(100) -> outside/<200.1.1.1(137) hit-cnt 5 (first hit)
in the above example it would be 106100

i can get it by using substring, but i would prefer a more reliable method.any ideas?

I haven't had time to test this but it should work.

Code: Select all

'%msg:R,ERE,1,BLANK:PIX-5-(.*):--end%'