Rules (XIF)
[MODEL: dataset="cisco_catalyst_raw"]
/* ----------------------------------------------------------------------------------------------------
Cisco System Log Message General Format:
seq no:timestamp: %facility-severity-MNEMONIC:description
https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html#wp1054470)
---------------------------------------------------------------------------------------------------*/
filter _raw_log ~= "%\S+\-\d\-\S+:"
| alter // extract out-of-the-box parsed fields
event_name = uppercase(parsed_fields -> mnemonic),
facility = uppercase(parsed_fields -> facility),
msg = parsed_fields -> description,
seq_number = parsed_fields -> sequence_number,
severity = parsed_fields -> severity
| alter // extract dynamic fields from the syslog message description
change_state = arrayindex(regextract(msg, "\,\s(changed\sstate\sto[a-zA-Z\s]+)"), 0),
client_mac_address = coalesce(
arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0)),
device_hostname = arrayindex(regextract(_raw_log ,"\<\d+\>\d+\:\s([\w+\-\_]+)\:\s\d+\:"), 0),
device_product_id = arrayindex(regextract(msg ,"\[PID\:([^\,]+)\,"), 0),
device_serial_number = arrayindex(regextract(msg , ",SN\:([\w\-]+)"), 0),
interface = coalesce(
arrayindex(regextract(msg ,"Interface\s([^\/]+\/\d+\/*\d*)"), 0),
arrayindex(regextract(msg ,"interface\sname\s([^\/]+\/\d+\/\d+)"), 0),
arrayindex(regextract(msg , "Interface\s([\w\-]+)"), 0),
arrayindex(regextract(msg , "on interface\s+(\S+)\s+by"), 0),
arrayindex(regextract(msg , "(?:on|port|Unblocking|Blocking)\s+(\w+\/\w+\/\w+)"), 0),
arrayindex(regextract(msg , "^(\w+\/\w+\/\w+):"), 0)),
outcome_reason = coalesce(
arrayindex(regextract(msg, "\sreason:\s*(.+?)\."), 0),
arrayindex(regextract(msg, "with reason\s*\(([^\)]+)\)"), 0),
arrayindex(regextract(msg, "\[Reason:\s*([^\]]+)\]"), 0)),
process_name = coalesce(
arrayindex(regextract(msg ,"by\sprocess\s(.+?)\s+(?:Process|Policy\smanager)"), 0),
arrayindex(regextract(msg ,"process\s*\=\s*([^\.]+)\."), 0)),
server_ipv4 = arrayindex(regextract(msg, "[Ss]erver(?:\s+not\s+found)?(?:\s+at)?\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
server_name = arrayindex(regextract(msg, "Server\s+([\w\-]+)\s+is"), 0),
session_id = coalesce(
arrayindex(regextract(msg, "AuditSessionID (\w+)"), 0),
arrayindex(regextract(msg, "session (\w+)\("), 0)),
source_ipv4 = coalesce(
arrayindex(regextract(msg , "from\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg , "from\s+host\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg , "list\s\d+\spermitted\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg ,"\[Source\:\s((?:\d{1,3}\.){3}\d{1,3})\]"), 0),
arrayindex(regextract(msg ,"session\s\d+\(((?:\d{1,3}\.){3}\d{1,3})\)"), 0),
arrayindex(regextract(msg ,"connection\sfrom\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
arrayindex(regextract(msg ,"address\s((?:\d{1,3}\.){3}\d{1,3})\son"), 0),
arrayindex(regextract(msg ,"neighbor\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg , "on\s+\w+\s*\(((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg ,"\(((?:\d{1,3}\.){3}\d{1,3})\)\)\,\suser"), 0)),
target_ipv4 = arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
target_port = coalesce(
arrayindex(regextract(msg ,"\[localport\:\s(\d+)\]"), 0),
arrayindex(regextract(msg ,"to\shost\s\d+\.\d+\.\d+\.\d+\sport\s(\d+)"), 0)),
username = coalesce(
arrayindex(regextract(msg ,"user\s+name\s*:\s*([\w\-]+)"), 0),
arrayindex(regextract(msg ,"User\s+\'([^\']+)\'\s+\w+"), 0),
arrayindex(regextract(msg ,"User\s+(\S+)\s+has"), 0),
arrayindex(regextract(msg ,"\[user\:\s([^\]]+)\]"), 0),
arrayindex(regextract(msg ,"\:\sUser\s(\S+)\s"), 0),
arrayindex(regextract(msg ,"Username:\s*()"), 0),
arrayindex(regextract(msg ,"by\s+(\S+)\s+on\s+"), 0),
arrayindex(regextract(msg ,"\(\d+\.\d+\.\d+\.\d+\)\)\,\suser\s(\S+)"), 0)),
vlan = arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)
| alter // post-extraction formatting
client_mac_formatted = arraystring(regextract(client_mac_address, "[\da-fA-F]{2}"), ":"),
seq_number = replex(seq_number, "^0+", ""),
user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM mappings
xdm.alert.severity = severity,
xdm.event.description = msg,
xdm.event.log_level = if(
severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY,
severity = "1", XDM_CONST.LOG_LEVEL_ALERT ,
severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL,
severity = "3", XDM_CONST.LOG_LEVEL_ERROR,
severity = "4", XDM_CONST.LOG_LEVEL_WARNING,
severity = "5", XDM_CONST.LOG_LEVEL_NOTICE,
severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL,
severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
xdm.event.outcome = if(
msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
event_name ~= "SUCCESS" or msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.outcome_reason = outcome_reason,
xdm.event.type = if( // rename vague event names to a meaningful name if necessary
event_name = "FAIL" and msg ~= "(?i)Authorization failed", "AUTHORIZATION_FAILED",
event_name = "FAIL" and msg ~= "(?i)Authentication failed", "AUTHENTICATION_FAILED",
event_name),
xdm.network.session_id = seq_number,
xdm.observer.action = change_state,
xdm.observer.name = device_hostname,
xdm.observer.type = facility,
xdm.observer.unique_identifier = coalesce(device_serial_number, device_hostname),
xdm.session_context_id = session_id,
xdm.source.host.device_id = coalesce(device_serial_number, device_hostname),
xdm.source.host.device_model = device_product_id,
xdm.source.host.hardware_uuid = device_serial_number,
xdm.source.host.mac_addresses = if(client_mac_formatted != null, arraycreate(client_mac_formatted)),
xdm.source.ipv4 = coalesce(source_ipv4, _final_reporting_device_ip),
xdm.source.process.name = process_name,
xdm.source.user.domain = user_domain,
xdm.source.user.username = username,
xdm.source.vlan = to_integer(vlan),
xdm.target.host.hostname = server_name,
xdm.target.interface = interface,
xdm.target.ipv4 = coalesce(server_ipv4, target_ipv4),
xdm.target.port = to_integer(target_port);
/* ------------------------------------------------
Alternative Message Format:
origin_device_id event_id facility: description
-----------------------------------------------*/
filter _raw_log !~= "%\S+\-\d\-\S+:"
| alter // extract out-of-the-box parsed fields
device_ip = parsed_fields -> device_ip,
event_id = to_integer(parsed_fields -> event_id),
facility = uppercase(parsed_fields -> facility),
msg = parsed_fields -> description,
severity = parsed_fields -> severity
| alter // Extract the varying dynamic fields from the message payload
access_mode = if(
event_id in (2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3216, 3217, 3218, 3356, 3357), arrayindex(regextract(msg, "^(\S+) client"), 0),
event_id in (3351, 3352, 3353, 3354, 3355), arrayindex(regextract(msg, "^(\S+)\s*\:"), 0),
event_id in (3211, 3212, 3213), arrayindex(regextract(msg, "received on port \S+ for (\S+) client"), 0),
event_id = 3350, arrayindex(regextract(msg, "^(\S+) unable to permit client"), 0),
event_id in (5212, 5213, 5722, 5724, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "to (\S+) client"), 0)),
cmd = if(
event_id in (992, 993), arrayindex(regextract(msg, "command (.+)\."), 0),
event_id in (3393, 3394), arrayindex(regextract(msg, "[Cc]ommand (.+) is"), 0)),
dhcp_server_ip = if(event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip ((?:\d{1,3}\.){3}\d{1,3})"), 0)),
gateway_ip = if(event_id = 5451, arrayindex(regextract(msg, "vlan \S+ \(?(\S+)\)?"), 0)),
gateway_name = if(event_id in (5595, 5596, 5597, 5598, 5599, 5600), arrayindex(regextract(msg, "gateway (\S+)"), 0)),
ip_mask = if(
event_id = 17, arrayindex(regextract(msg, "mask ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
event_id in (25, 26), arrayindex(regextract(msg, "address ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
event_id = 753, arrayindex(regextract(msg, "failure\:\s*((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0)),
mac_address = if(
event_id = 5, arrayindex(regextract(msg, "at ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (20, 21, 288, 334, 5681, 5682, 5683, 5684, 5731), arrayindex(regextract(msg, "(?:mac|MAC)[\s\-]+(?:address|ADDRESS) ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (845, 952, 958, 959, 960, 961, 2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3273, 3274, 3281, 3283, 3350, 3356, 3357, 3822, 4987), arrayindex(regextract(msg, "(?:mac|MAC)\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 2581, arrayindex(regextract(msg, "MAC address of ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (354, 858), arrayindex(regextract(msg, "address ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 348, arrayindex(regextract(msg, "error:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 352, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) moved from"), 0),
event_id = 353, arrayindex(regextract(msg, "Received Update Packet from ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 355, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) MISMATCH"), 0),
event_id = 451, arrayindex(regextract(msg, "Upgrade ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 452, arrayindex(regextract(msg, "config with ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (453, 3282), arrayindex(regextract(msg, "switch ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (592, 594), arrayindex(regextract(msg, "\S+\s*:\s*(?:Move )?((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (613, 2209), arrayindex(regextract(msg, "MAC add for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5212, 5213, 5411, 5722, 5724), arrayindex(regextract(msg, "to ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (839, 3816), arrayindex(regextract(msg, "from \S+\s*:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (870, 2690, 4548, 4556, 4565), arrayindex(regextract(msg, "from\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 915, arrayindex(regextract(msg, "source:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (979, 4588, 4880), arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) on port"), 0),
event_id = 2431, arrayindex(regextract(msg, "multicast ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 714, 716, 718, 719, 720, 721, 722, 856, 2539, 2540, 2541, 3211, 3212, 3213, 3214, 3215, 3216, 3217, 3218, 3351, 3352, 3355, 3358, 4575, 5563, 5619, 5620, 5621, 5723, 5726, 5743, 5744, 5747, 5748, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5906, 5907, 5940, 5941), arrayindex(regextract(msg, "(?:client|Client):?\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (2720, 3354, 4590, 5385), arrayindex(regextract(msg, "for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 3280, arrayindex(regextract(msg, "Member ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (4572, 4573, 4874), arrayindex(regextract(msg, "packet ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 4980, arrayindex(regextract(msg, "got ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5120, 5121, 5143, 5144, 5145, 5146), arrayindex(regextract(msg, "device ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5122, 5123), arrayindex(regextract(msg, "Aruba AP ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5406, 5407), arrayindex(regextract(msg, "user ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
coalesce( // default fallback
arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0))),
outcome_reason = if(
event_id in (5076, 5230, 5240, 5244, 5246, 5261), rtrim(arrayindex(regextract(msg, "[Ee]rror:?\s*(?:\=?\s*)?(.+)"), 0), "."),
event_id in (2204, 5254), arrayindex(regextract(msg, "error:?\s*(?:\=?\s*)?(.+) (?:occurred|on)"), 0),
event_id = 5682, arrayindex(regextract(msg, "reason (.+)\-\s*server"), 0),
event_id = 5222, arrayindex(regextract(msg, "server:\s*(.+)"), 0),
event_id in (5236, 5239, 5243, 5247, 5248, 5249, 5250, 5251, 5233, 5234), arrayindex(regextract(msg, "with error (?:\=\s*)(.+)"), 0),
event_id in (5241, 5242), arrayindex(regextract(msg, "string is (.+)"), 0),
event_id in (132, 134, 4187, 4188), arrayindex(regextract(msg, "msg:? (.+)"), 0),
event_id = 542, arrayindex(regextract(msg, "Skipped:\s*(.+)"), 0),
event_id in (2614, 2218), arrayindex(regextract(msg, "failed:\s*(.+)"), 0),
event_id = 609, arrayindex(regextract(msg, "from \S+ \(?(.+?)\)?\s*\-"), 0),
event_id = 2419, arrayindex(regextract(msg, "Received (.+) packet"), 0),
event_id in (5081, 5619), arrayindex(regextract(msg, " as (\.+)\."), 0),
event_id in (5602, 5604, 5606, 5623, 5867, 5869), arrayindex(regextract(msg, "because of (.+)\."), 0),
event_id = 158, arrayindex(regextract(msg, "line \S+\s*(.+)"), 0),
event_id in (686, 687, 3032, 3033, 3841, 3842, 3843), msg,
event_id in (3380, 3381), arrayindex(regextract(msg, "ERR:\s*(.+)"), 0),
event_id in (648, 2007, 2413, 3370), arrayindex(regextract(msg, "failed:?\s*(.+)"), 0),
event_id = 4252, arrayindex(regextract(msg, "start:\s*(.+)"), 0),
event_id = 3258, arrayindex(regextract(msg, "failed due to \s*(.+)"), 0),
event_id = 655, arrayindex(regextract(msg, "VLAN\.\s*(.+)"), 0),
event_id = 669, arrayindex(regextract(msg, "caution (.+)"), 0),
event_id = 5620, arrayindex(regextract(msg, "role (.+)"), 0),
event_id in (3152, 3278, 3279, 4872, 5407, 5408), arrayindex(regextract(msg, "[Rr]eason:?\s*(.+)"), 0),
event_id = 63, arrayindex(regextract(msg, "down:\s*(.+)"), 0),
event_id = 273, arrayindex(regextract(msg, "\S+\s*\-\s*(.+)"), 0),
event_id = 4892, arrayindex(regextract(msg, "Got (.+)\."), 0),
event_id = 3006, arrayindex(regextract(msg, "reboot: (.+)"), 0),
event_id in (4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949), arrayindex(regextract(msg, "failed\s*;\s*(.+)"), 0)),
policy_name = if(
event_id = 5816, arrayindex(regextract(msg, "list \'(.+?)\'"), 0),
event_id = 5817, arrayindex(regextract(msg, "class \'(.+?)\'"), 0),
event_id in (2655, 2659, 2661), arrayindex(regextract(msg, "apply \'(.+?)\'"), 0),
event_id in (2637, 2638, 2652, 2653, 2654, 2656, 3025, 5215, 5745, 5746), arrayindex(regextract(msg, "[Pp]olicy (?:is\s+)?\'(.+?)\'"), 0)),
interface_port_id = if(
event_id in (76, 77, 324, 725, 826, 827, 828, 840, 841, 844, 848, 849, 884, 885, 886, 887, 888, 889, 927, 972, 975, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4584, 4593, 4646, 4647, 5161, 5162, 5834), arrayindex(regextract(msg, "^[Pp]ort ([\w\/]+)"), 0),
event_id in (725, 826, 827, 848, 849, 885, 927, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4646, 4647, 5161, 5162), arrayindex(regextract(msg, "^Port ([\w\/]+) (?:with|released|changed|inhibited|blocked|unblocked|disabled|has|is|\-)"), 0),
event_id in (346, 347, 348, 350, 351, 353, 356, 447), arrayindex(regextract(msg, "^([\w\/]+)\s*[\-]+\s*(?:ACK|Received|detected|initialized|established|not established)"), 0), //
event_id in (822, 823), arrayindex(regextract(msg, "^(?:Created|Deleted) ([\w\/]+)"), 0),
event_id in (883, 3381, 3815), arrayindex(regextract(msg, "Port ([\w\/]+) (?:has|communications|moved)"), 0),
event_id in (2640, 2641, 2642, 2643, 2644), arrayindex(regextract(msg, "src I\/F ([\w\/]+) (?:is|has)"), 0),
event_id in (4667, 4670), arrayindex(regextract(msg, "on Interface ([\w\/]+)"), 0),
event_id = 357, arrayindex(regextract(msg, "^([\w\/]+) load balance version"), 0),
event_id = 444, arrayindex(regextract(msg, "^([\w\/]+): received"), 0),
event_id = 453, arrayindex(regextract(msg, "detected on ([\w\/]+)"), 0),
event_id = 520, arrayindex(regextract(msg, "Ports ([\w\/]+):"), 0),
event_id = 592, arrayindex(regextract(msg, "Move \S+ to ([\w\/]+) denied"), 0),
event_id = 825, arrayindex(regextract(msg, "PORT-MAP (?:removed from|added to) ([\w\/]+)"), 0),
event_id = 2639, arrayindex(regextract(msg, "from ([\w\/]+) interface"), 0),
event_id = 4573, arrayindex(regextract(msg, "Invalid DHCPv6 packet \S+\.?\s*([\w\/]+)"), 0),
event_id = 4633, arrayindex(regextract(msg, "Mac-notify traps ([\w\/]+)"), 0),
event_id = 4986, arrayindex(regextract(msg, "enabled port ([\w\/]+)"), 0),
event_id = 5052, arrayindex(regextract(msg, "^Configuration conversion for \S+ ([\w\/]+)"), 0),
arrayindex(regextract(msg, "\s+[Pp]ort ([\w\/]+)"), 0)), // General fall back
src_ip = if(
event_id in (3, 3087, 5328), arrayindex(regextract(msg, "to (\S+)"), 0),
event_id in (11, 91, 97, 98, 99, 112, 236, 237, 419, 468, 469, 470, 609, 610, 611, 618, 619, 620, 621, 622, 636, 637, 639, 640, 754, 982, 983, 984, 985, 2205, 2206, 2207, 2210, 2211, 2219, 2220, 2419, 2420, 2421, 2422, 2425, 2667, 2684, 2686, 3310, 3311, 3318, 3345, 3362, 3363, 3387, 3390, 4215, 4216, 4241, 4242, 4244, 4245, 4281, 4542, 4558, 456, 4575, 4832, 4834, 4872, 4873, 5005, 5006, 5016, 5312, 5313, 5314, 5329, 5653), arrayindex(regextract(msg, "from (\S+)"), 0),
event_id in (12, 13, 3167), arrayindex(regextract(msg, "on (\S+)"), 0),
event_id in (16, 86, 748, 749, 2430, 2581, 2582, 3130, 4243, 4261, 4263, 4276, 4782, 4875, 5025, 5026, 5034, 5177, 5358), arrayindex(regextract(msg, "[Aa]ddress:? (\S+)"), 0),
event_id in (612, 2208, 5017), arrayindex(regextract(msg, "from rtr (\S+)"), 0),
event_id in (614, 623), arrayindex(regextract(msg, "flow (\S+)"), 0),
event_id in (617, 625, 626, 628, 694, 695, 696, 806, 917, 5013), arrayindex(regextract(msg, "IP (\S+)"), 0),
event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*\S+\s*\-?\s*s?\s*(\S+)"), 0),
event_id in (850, 854, 3319, 3320, 4546, 4913, 5401), arrayindex(regextract(msg, "(?:Server|server) (\S+)"), 0),
event_id in (864, 4552), arrayindex(regextract(msg, "[Rr]eading (\S+)"), 0),
event_id in (979, 4877, 4880), arrayindex(regextract(msg, "for (\S+),?"), 0),
event_id in (981, 4589), arrayindex(regextract(msg, "Access denied (\S+)\s*\-\>"), 0),
event_id in (2214, 2215, 2221, 2416, 2418, 2423, 2639, 2645, 2646, 2647), arrayindex(regextract(msg, "addr:? (\S+)"), 0),
event_id in (2530, 2668), arrayindex(regextract(msg, "Client \'?(\S+)\'?"), 0),
event_id in (4781, 4783), arrayindex(regextract(msg, "interface (\S+)\.?"), 0),
event_id in (4961, 4962, 4966), arrayindex(regextract(msg, "device (\S+)"), 0),
event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Source IPv4 \S+\:\s*(\S+)"), 0),
event_id in (5059, 5060, 5061, 5062, 5063, 5233, 5310), arrayindex(regextract(msg, "^\s*(\S+)"), 0),
event_id in (5304, 5305, 5306, 5307, 5308, 5309, 5315, 5316, 5317, 5318), arrayindex(regextract(msg, "peers\s*(\S+)"), 0),
event_id in (5402, 5403), arrayindex(regextract(msg, "is (\S+)\.?"), 0),
event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "source IP:\s*(\S+)\-?"), 0),
event_id = 5, arrayindex(regextract(msg, "^ARP:\s*(\S+)"), 0),
event_id = 17, arrayindex(regextract(msg, "mask (\S+)"), 0),
event_id = 8, arrayindex(regextract(msg, "Source:\s*(\S+)"), 0),
event_id = 805, arrayindex(regextract(msg, "block (\S+)"), 0),
event_id = 908, arrayindex(regextract(msg, "ipAddr:\s+(\S+)"), 0),
event_id = 911, arrayindex(regextract(msg, ",?\s*(\S+) port"), 0),
event_id = 2669, msg,
event_id = 4638, arrayindex(regextract(msg, "as (\S+)\.?"), 0),
event_id = 4878, arrayindex(regextract(msg, "binding (\S+)"), 0),
event_id = 5226, arrayindex(regextract(msg, "Activate (\S+)"), 0)),
tgt_ip = if(
event_id in (119, 411, 5181, 5182, 5183, 5184, 5845), arrayindex(regextract(msg, "server\s+(\S+)"), 0),
event_id in (120, 122, 413, 416), arrayindex(regextract(msg, "server at\s+(\S+)"), 0),
event_id in (747, 3340, 3341, 3342, 5226, 5649), arrayindex(regextract(msg, "to (\S+)"), 0),
event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*(\S+)"), 0),
event_id in (866, 4554), arrayindex(regextract(msg, "[Ww]riting (\S+)"), 0),
event_id in (981, 4589), arrayindex(regextract(msg, "Access denied \S+\s*\-\>(\S+)"), 0),
event_id in (3876, 5809), arrayindex(regextract(msg, "address (\S+)"), 0),
event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Destination IPv4 \S+\:\s*(\S+)"), 0),
event_id in (5311, 5405, 5408, 5419, 5421, 5422), arrayindex(regextract(msg, "[Cc]ontroller (\S+)[,\.]?"), 0),
event_id in (5404, 5406), arrayindex(regextract(msg, "Controller \S+ (\S+)\.?"), 0),
event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "destination IP:\s*(\S+)\-?"), 0),
event_id in (5685, 5686), arrayindex(regextract(msg, "\s+ip (\S+)"), 0),
event_id = 8, arrayindex(regextract(msg, "Target:\s*(\S+)"), 0),
event_id = 420, arrayindex(regextract(msg, "reach (\S+) server"), 0),
event_id = 315, arrayindex(regextract(msg, "target IP\s+(\S+)"), 0),
event_id = 317, arrayindex(regextract(msg, "Target IP address\s+(\S+)"), 0),
event_id = 630, arrayindex(regextract(msg, "group\s+(\S+)"), 0),
event_id = 631, arrayindex(regextract(msg, "to SUBSYSTEM\s+(\S+)"), 0),
event_id = 2631, arrayindex(regextract(msg, "at (\S+)\.?"), 0),
event_id = 4541, arrayindex(regextract(msg, "configure (\S+)"), 0),
event_id = 5451, arrayindex(regextract(msg, "^\s*(\S+)"), 0),
event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip (\S+)"), 0),
event_id = 5744, arrayindex(regextract(msg, "subscriber (\S+)"), 0),
event_id = 5812, arrayindex(regextract(msg, "Fqdn (\S+)"), 0)),
tgt_user = if(
event_id = 3368, arrayindex(regextract(_raw_log, "oldest user (\S+)") , 0),
event_id = 3386, arrayindex(regextract(_raw_log, "modified for user ([^\.]+)") , 0),
event_id = 4940, arrayindex(regextract(_raw_log, "^Password for user (\S+) (?:has )?expired") , 0),
event_id in (3391, 3392), arrayindex(regextract(_raw_log, "Local user (\S+) is") , 0)), // users added/removed to/from group
tgt_mac_address = if(event_id = 913, arrayindex(regextract(msg, "dest:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0)),
username = if(
event_id in(3362, 3363, 4241, 4242, 3369, 4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949, 4951, 4952, 5005, 5006, 5007, 3387, 4930, 4938, 4939, 5826), arrayindex(regextract(msg, "^User \'?([\w\\]+)\'? (?:logged|logout|from|password|has logged|is logged|has been logged|denied access)"), 0),
event_id in (186, 468, 469, 470, 640, 2667, 2710, 2714, 2715, 2716, 2717, 3310, 3311, 3318, 3340, 3341, 3342, 3343, 3344, 3345, 3440, 3444, 4244, 4245, 4248, 5553, 5555, 5765, 5825, 5827, 5828, 5829), arrayindex(regextract(msg, "^User\s*\:?\s*\'?([\w\\]+)\'?\s*\:"), 0),
event_id in (419, 5008, 639, 992, 993, 3390, 4940, 4941), arrayindex(regextract(msg, "[Uu]ser \'?([\w\\]+)\'? (?:is (?:trying|logged|added|deleted)|command|logged|has|expired)"), 0),
event_id = 4950, arrayindex(regextract(msg, "History records cleared for \'?([\w\\]+)\'? user") , 0),
event_id = 236, arrayindex(regextract(msg, "community name or user name\s*[,\:]?\s*\'?([\w\\]+)\'?"), 0),
event_id = 5815, arrayindex(regextract(msg, "^The user name \'?([\w\\]+\'?)"), 0),
event_id = 5940, arrayindex(regextract(msg, "Authentication aborted for(?: client \S+)? user \'?([\w\\]+)\'?\."), 0),
event_id = 5681, arrayindex(regextract(msg, "userName \'?([\w\\]+)\'?\-?\s*authType"), 0),
event_id = 5749, arrayindex(regextract(msg, "username \'?([\w\\]+)\'? or password"), 0),
event_id = 4831, arrayindex(regextract(msg, "limit is reached for \'?([\w\\]+)\'?\."), 0),
event_id = 2668, arrayindex(regextract(msg, "for the User \'?([\w\\]+)\'?\."), 0),
event_id = 5409, arrayindex(regextract(msg, "for user (\S+):") , 0)),
user_role = if(
event_id in (5204, 5205, 5206, 5207, 5208, 5209, 5210, 5211, 5212, 5213, 5411, 5412, 5619, 5563, 5717, 5722, 5724, 5725, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "user[\s\-]+role \'?(.+?)\'? (?:to|has|with|is|\.)"), 0),
event_id in (3391, 3392, 3393, 3394), arrayindex(regextract(msg, "group \'?(.+?)\'?\s*\."), 0),
event_id in (5620, 5621), arrayindex(regextract(msg, "^\'?(.+?)\'? client"), 0),
event_id in (5715, 5716), arrayindex(regextract(msg, "^Initial role \'?(.+?)\'? is"), 0)),
vlan_id = if(
event_id in (1,2), arrayindex(regextract(msg, "^(\d+) virtual LAN"), 0),
event_id = 316, arrayindex(regextract(msg, "^VLAN ID out of range \(?(\d+)"), 0),
event_id = 964, arrayindex(regextract(msg, "^Failed to allocate memory for (\d+)"), 0),
event_id = 3815, arrayindex(regextract(msg, "^(\d+) \S+ Port \S+ moved"), 0),
event_id = 3824, arrayindex(regextract(msg, "^GVRP could not create (\d+) because"), 0),
event_id = 3826, arrayindex(regextract(msg, "^GVRP could not add port \S+ to (\d+)"), 0),
event_id = 3828, arrayindex(regextract(msg, "^Port \S+ unblocked on (\d+)"), 0),
event_id = 4588, arrayindex(regextract(msg, "^Unable to add binding for (\d+)"), 0),
arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)) // vlan default fallback
| alter // Post Extraction Processing
formatted_mac_address = arraystring(regextract(mac_address, "[\da-fA-F]{2}"), ":"),
formatted_tgt_mac_address = arraystring(regextract(tgt_mac_address , "[\da-fA-F]{2}"), ":"),
gw_ipv4 = arrayindex(regextract(gateway_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
gw_ipv6 = arrayindex(regextract(gateway_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
src_ipv4 = arrayindex(regextract(src_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
src_ipv6 = arrayindex(regextract(src_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
tgt_ipv4 = arrayindex(regextract(tgt_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
tgt_ipv6 = arrayindex(regextract(tgt_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
tgt_user_domain = arrayindex(regextract(tgt_user, "(.+)\\.+"), 0),
user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM Mappings
xdm.alert.severity = severity,
xdm.auth.auth_method = access_mode,
xdm.event.description = msg,
xdm.event.id = to_string(event_id),
xdm.event.log_level = if(
severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY,
severity = "1", XDM_CONST.LOG_LEVEL_ALERT ,
severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL,
severity = "3", XDM_CONST.LOG_LEVEL_ERROR,
severity = "4", XDM_CONST.LOG_LEVEL_WARNING,
severity = "5", XDM_CONST.LOG_LEVEL_NOTICE,
severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL,
severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
xdm.event.outcome = if(
msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.outcome_reason = outcome_reason,
xdm.event.type = facility,
xdm.intermediate.host.hostname = gateway_name,
xdm.intermediate.ipv4 = device_ip,
xdm.intermediate.ipv6 = gw_ipv6,
xdm.intermediate.host.ipv4_addresses = arraycreate(device_ip, gw_ipv4),
xdm.intermediate.host.ipv6_addresses = arraycreate(gw_ipv6),
xdm.network.dhcp.siaddr = dhcp_server_ip,
xdm.network.rule = policy_name,
xdm.observer.type = facility,
xdm.observer.unique_identifier = device_ip,
xdm.source.host.mac_addresses = if(formatted_mac_address != null, arraycreate(formatted_mac_address)),
xdm.source.ipv4 = src_ipv4,
xdm.source.ipv6 = src_ipv6,
xdm.source.subnet = ip_mask,
xdm.source.user.domain = user_domain,
xdm.source.user.groups = if(user_role != null, arraycreate(user_role)),
xdm.source.user.username = username,
xdm.source.vlan = to_integer(vlan_id),
xdm.target.host.mac_addresses = if(formatted_tgt_mac_address != null, arraycreate(formatted_tgt_mac_address)),
xdm.target.process.command_line = cmd,
xdm.target.interface = to_string(interface_port_id),
xdm.target.ipv4 = tgt_ipv4,
xdm.target.ipv6 = tgt_ipv6,
xdm.target.user.domain = tgt_user_domain,
xdm.target.user.username = tgt_user;