Uploaded image for project: 'Metron (Retired)'
  1. Metron (Retired)
  2. METRON-176

Create Cisco-ACS parser

Add voteWatch issue
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: To Do
    • Minor
    • Resolution: Unresolved
    • None
    • None

    Description

      I will be creating a parser to handle Cisco-ACS logs.

      Here are is a sample log:
      <181>May 18 23:12:07 MDCNMSACS002 CSCOacs_Passed_Authentications 0093197809 2 0 2016-05-18 23:12:07.001 -04:00 1214019921 5202 NOTICE Device-Administration: Command Authorization succeeded, ACSVersion=acs-5.8.0.32-B.442.x86_64, ConfigVersionId=2097, Device IP Address=10.0.0.0, DestinationIPAddress=10.0.0.0, DestinationPort=49, UserName=hpna, CmdSet=[ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unrestricted, RequestLatency=5, Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=hpna, Port=tty2, Remote-Address=10.0.0.0, Authen-Method=None, Service-Argument=shell, AcsSessionID=MDCNMSACS002/242802909/91519025, AuthenticationIdentityS tore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=TACACS, SelectedCommandSet=Unrestricted, IdentityGroup=IdentityGroup:All Groups:HPNA-Device-Interaction, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22037 , Step=15044 ,

      Here is what the data will look after parsing:

      sourcetype: cisco_acs
      priority: 181
      timestamp: May 19th 2016 03:12:07 UTC
      hostname: MDCNMSACS002
      category: Passed_Authentications
      message_id: 0093197809
      total_segments: 2
      segment_number: 0
      event_timestamp: May 19th, 2016 03:12:07 UTC
      sequence_number: 1214019921
      message_code: 5202
      severity: NOTICE
      message_class: Device-Administration
      message_text: Command Authorization succeeded
      ACSversion: acs-5.8.0.32-B.442.x86_64
      ConfigVersionId: 2097
      device_ip_address: 10.0.0.0
      ip_dst_addr: 10.0.0.0
      ip_dst_port: 49
      username: hpng
      CmdSet: [ CmdAV=dir CmdArgAV=cns: CmdArgAV=<cr> ]
      ACS_Protocol: Tacacs
      MatchedCommandSet: Unrestricted
      RequestLatency: 5
      Type: Authorization
      Privilege-Level: 15
      Authen-Type: ASCII
      Service: None
      ACS_User: hpng
      ACS_Port: tty2
      Remote-Address: 10.0.0.0
      Authen-Method: None
      Service-Argument: shell
      AcsSessionID: MDCNMSACS002/242802909/91519025
      AuthenticationIdentityStore: Internal Users
      AuthenticationMethod: Lookup
      SelectedAccessService: TACACS
      SelectedCommandSet: Unrestricted
      IdentityGroup: IdentityGroup:AllGroups:HPNA-Device-Interaction
      Steps: 13005, 15008, 15004, 15012, 15041, 15006, 15013, 24210, 24212, 22037, 15044

      Attachments

        Activity

          People

            Unassigned Unassigned
            deeptaanshu Deeptaanshu Kumar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Slack

                Issue deployment