Release 2008.2
Creating Extension Documents
9
<matcher field="DestinationPort" order="1" pattern-id="DestinationIp" capture-group="2" />
<matcher field="Protocol" order="1" pattern-id="Protocol" capture-group="1" />
<matcher field="Protocol" order="2" pattern-id="Protocol_6" capture-group="TCP"
enable-substitutions=”true”/>
<event-match-multiple pattern-id="EventNameId" capture-group-index="1"
device-event-category="Cisco Firewall"/>
</match-group>
</device-extension>
The above extension document example demonstrates some of the basic aspects
of parsing:
•
IP addresses
•
Ports
•
Protocol
•
Multiple fields using the same pattern with different groups
This example parses all FWSM events that follow the specified pattern, although
the fields that are parsed may not be present in those events (if the events include
different content).
The information that was necessary to create this configuration that was not
available from the event:
•
The event name is only the last six digits (
302015
) of the
%FWSM-session-0-302015
portion of the event.
•
The FWSM has a hard-coded device type category of
Cisco Firewall
.
•
The FWSM uses the Cisco Pix QID and therefore includes the
device-type-id-override="6"
parameter in the match group (the Pix
firewall’s device type ID is 6, see
Table 6
).
If the QID information is not specified or is unavailable, you can modify the event
mapping using the Event Viewer. For more information, see the Modifying Event
Mapping section in the STRM Users Guide.
An event name and a device event category is required when looking for the event
in the QID. This device event category is a grouping parameter within the database
that helps define like events within a device. The
event-match-multiple
at the
end of the match group includes hard-coding of the category. The
event-match-multiple
uses the EventNameId pattern on the parsed event
name to match up to six digits. This pattern is not run against the full payload, just
that portion parsed as the EventName field.
The EventName pattern references the
%FWSM
portion of the events; all Cisco
FWSM events contain the
%FWSM
portion. The pattern in the example matches
%FWSM
followed by any number (zero or more) of letters and dashes. This pattern
match resolves the word
session
that is embedded in the middle of the event
name that needs to removed. The event severity (according to Cisco), followed by
