Fixes for pix2dlf (PIX v7+)

Joost van Baal joostvb at logreport.org
Tue Jan 30 22:52:28 CET 2007 

Hi,

Op di 30 jan 2007 om 10:18:17 +0100 schreef Robin Horton:
> I was having problems parsing some of the logs from my PIX v7 units and
> found it necessary to make some edits to the pix2dlf.
> 
> These fixes work in my situation, but you may wish to "generalize" my
> regular expressions to fit all cases.
> 
> Here is my unified diff:

Thanks a lot for this patch!  We love patches :)

> --- old_pix2dlf 2007-01-26 23:05:45.000000000 +0000
> +++ pix2dlf     2007-01-30 21:08:11.000000000 +0000
> @@ -178,7 +178,7 @@
>          next;
>      }
>  
> -    unless($rec->{process} =~ /^\%PIX-([0-9])-([0-9]+)$/) {
> +    unless($rec->{process} =~ /\%PIX-([0-9])-([0-9]+)$/) {
>          lr_debug("skipped non PIX syslog line '$_'");
>  
>          # FIXME: I don't think we should mark lines that we know for
> sure aren't PIX lines
> @@ -423,13 +423,7 @@
>          $dlf{'action'} = 'denied';
>  
>          ($dlf{'protocol'}, $from_addr, $to_addr, $dlf{'rule'}) =
> -          $pix_body =~ m/^
> -            Deny\ (\w+)\                     # protocol
> -            src\ ([-\w\.:\/]+)\               # from_addr
> -            dst\ ([-\w\.:\/]+)\               # to_addr
> -            (?:\(type\ \d+,\ code\ \d+\)\ )? # optional (ignored)
> -            by\ access-group\ "([\w-]+)"     # rule
> -          \s*$/x;
> +          $pix_body =~ m/^Deny\ (\w+)\ src\ ([-\w\.:\/]+)\ dst\
> ([-\w\.:\/]+)\ by\ access-group\ "([\w-]+)"\ \[0x0, 0x0\]\s*$/;
>  
>          ($dlf{'rcv_intf'}, $dlf{'from_ip'}, $dlf{'from_port'}) = 
>            grok_addr($from_addr);
> @@ -461,7 +455,7 @@
>          # followup.  o well, just skip all these for now, and get data
> from
>          # %PIX-3-106014, %PIX-6-302016 and friends
>  
> -        next LINE;
> +#        next LINE;
>  
>          # 4000nn: IDS:sig_num sig_msg from IP_addr to IP_addr on
>          # interface int_name
> @@ -496,16 +490,8 @@
>          $dlf{'action'} = 'denied';
>  
>          ($dlf{'msg'}, $dlf{'from_ip'}, $dlf{'to_ip'}, $dlf{'rcv_intf'})
> = 
> -          $pix_body =~ m/^
> -            IDS:\d+\                       #
> -            ([-+\(\)\ a-zA-Z]+?)\          # sig_msg [1]
> -            from\                          #
> -            ([\d\.]+)\                     # from_ip
> -            to\                            #
> -            ([\d\.]+)\                     # to_ip
> -            on\ interface\                 #
> -            ([-\w]+)                       # rcv_intf
> -          \s*$/x;
> +          $pix_body =~ m/^IDS:[\d]+\ ([-\w\ ]+)\ from\ ([\d\.]+)\ to\
> ([\d\.]+)\ on\ interface\ ([-\w]+)\s*$/;
> +
>  
>          # [1] see
>          #
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/
> pixemsgs.htm#18407
> 
> 
> 
> I will be adding a few more message numbers to parse, and if you wish,
> can send a unified diff for those as well.......

That'd be cool.  Furthermore, personally I'd prefer to keep the regexes
in /x style.  It's a bit more readable to have them on multiple lines,
imho.

Also, the manpage would need a patch.  It doesn't mention PIX v7 at all.

Thanks again, Bye,

Joost

-- 
.    .                                        http://logreport.com/
| '.|                        /^LogReport$/
| Lire                                        http://logreport.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.logreport.org/pipermail/development/attachments/20070130/468a5e7e/attachment.bin

More information about the Development mailing list