Syslog Parser Rules
The user creates anESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance.rule by using characters and special operators to specify a pattern (regular expression) that uniquely identifies a certain amount of text within a syslog message (Regular expression syntax is described inUnderstanding BRE Syntax. This “condition” defines the type of message and theESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance.domain to which this message pertains. The rule contains three major fields:
Condition: The pattern that uniquely identifies the syslog message type.
User: The username identifier. It can be in the form of a name,MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address, or IP address.
Action: The action to take when a rule match occurs.
Once a condition match has been made, no further rule-matching will be made. For the rule that matched, only one action can be defined.
After a condition match has been made, the message is parsed for the user information. This is done by specifying the target region with theRegexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.regexRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern.()块语法。这个语法生成两块:The first block is the matched expression; the second block contains the value inside the parentheses. For username matching, the focus is on the second block, as it contains the username.
Condition Pattern Matching
The following description uses the Fortigate virus syslog message format as an example to describe condition pattern matching. The Fortigate virus syslog message takes the form:
Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4
This message example contains the Fortigate virus log ID number 0100030101 (“log_id=0100030101”), which can be used as the condition—the pattern that uniquely identifies this syslog message.
The parser expression that matches this condition is “log_id=0100030101”. This is a narrow match on the specific log ID number shown in the message, or “log_id=[0–9]{10}[ ]” ,which is a regular expression that matches any Fortigate log entry with a ten-digit log ID followed by a space.
User Pattern Matching
To extract the user identifier in the example Fortigate virus message shown above (“src=1.2.3.4”), use the following expression, “src=(.*)[ ]” to parse the user information contained between the parentheses. The () block specifies where the username will be extracted. Only the first block will be processed.
Given a message wherein the username is aMACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.address:
Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected mac 00:aa:bb:cc:dd:00
The expression “mac[ ](.{17})” will match “mac 00:aa:bb:cc:dd:00” in the example message.
Given a message wherein the username is a user name:
Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected user
The expression “user<(.*)>” will match “user
