Fixes for pix2dlf (PIX v7+)

Tue Jan 30 22:18:17 CET 2007

I was having problems parsing some of the logs from my PIX v7 units and
found it necessary to make some edits to the pix2dlf.

These fixes work in my situation, but you may wish to "generalize" my
regular expressions to fit all cases.

Here is my unified diff:

--- old_pix2dlf 2007-01-26 23:05:45.000000000 +0000
+++ pix2dlf     2007-01-30 21:08:11.000000000 +0000
@@ -178,7 +178,7 @@
         next;
     }
 
-    unless($rec->{process} =~ /^\%PIX-([0-9])-([0-9]+)$/) {
+    unless($rec->{process} =~ /\%PIX-([0-9])-([0-9]+)$/) {
         lr_debug("skipped non PIX syslog line '$_'");
 
         # FIXME: I don't think we should mark lines that we know for
sure aren't PIX lines
@@ -423,13 +423,7 @@
         $dlf{'action'} = 'denied';
 
         ($dlf{'protocol'}, $from_addr, $to_addr, $dlf{'rule'}) =
-          $pix_body =~ m/^
-            Deny\ (\w+)\                     # protocol
-            src\ ([-\w\.:\/]+)\               # from_addr
-            dst\ ([-\w\.:\/]+)\               # to_addr
-            (?:\(type\ \d+,\ code\ \d+\)\ )? # optional (ignored)
-            by\ access-group\ "([\w-]+)"     # rule
-          \s*$/x;
+          $pix_body =~ m/^Deny\ (\w+)\ src\ ([-\w\.:\/]+)\ dst\
([-\w\.:\/]+)\ by\ access-group\ "([\w-]+)"\ \[0x0, 0x0\]\s*$/;
 
         ($dlf{'rcv_intf'}, $dlf{'from_ip'}, $dlf{'from_port'}) = 
           grok_addr($from_addr);
@@ -461,7 +455,7 @@
         # followup.  o well, just skip all these for now, and get data
from
         # %PIX-3-106014, %PIX-6-302016 and friends
 
-        next LINE;
+#        next LINE;
 
         # 4000nn: IDS:sig_num sig_msg from IP_addr to IP_addr on
         # interface int_name
@@ -496,16 +490,8 @@
         $dlf{'action'} = 'denied';
 
         ($dlf{'msg'}, $dlf{'from_ip'}, $dlf{'to_ip'}, $dlf{'rcv_intf'})
= 
-          $pix_body =~ m/^
-            IDS:\d+\                       #
-            ([-+\(\)\ a-zA-Z]+?)\          # sig_msg [1]
-            from\                          #
-            ([\d\.]+)\                     # from_ip
-            to\                            #
-            ([\d\.]+)\                     # to_ip
-            on\ interface\                 #
-            ([-\w]+)                       # rcv_intf
-          \s*$/x;
+          $pix_body =~ m/^IDS:[\d]+\ ([-\w\ ]+)\ from\ ([\d\.]+)\ to\
([\d\.]+)\ on\ interface\ ([-\w]+)\s*$/;
+
 
         # [1] see
         #
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/
pixemsgs.htm#18407



I will be adding a few more message numbers to parse, and if you wish,
can send a unified diff for those as well.......



Robin Horton
Systems Administrator
2001 6th Ave. #3200
Seattle, WA 98121

Ph: 206.441.9100 x1189
Fax: 206.441.9661
robinh at aptimus.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.logreport.org/pipermail/development/attachments/20070130/12da2c6e/attachment.html 
