Created
September 29, 2015 13:34
-
-
Save rootik/5b57aa60b997e735d263 to your computer and use it in GitHub Desktop.
Grok patterns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #== Cisco ASA == | |
| HOSTNAME \b(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62})(?:\.(?:[_0-9A-Za-z][_0-9A-Za-z-]{0,62}))*(\.?|\b) | |
| CTIMESTAMP %{YEAR}-%{MONTHNUM2}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})(?:\.[0-9]+)?%{ISO8601_TIMEZONE} | |
| CISCO_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_TAG:ciscotag}: | |
| CISCO_ASA_TAGGED %{CTIMESTAMP}( %{SYSLOGHOST:host})? %{CISCO_ASA_TAG:ciscotag}: | |
| CISCO_CLASS [0-9]{3} | |
| CISCO_STRUC [A-Z0-9_]+ | |
| CISCO_TAG %{CISCO_STRUC:cisco_facility}-%{INT:cisco_severity}-%{CISCO_STRUC:cisco_mnemonic}|WLC[0-9]+ | |
| CISCO_ASA_TAG %[A-Z0-9_]+-%{INT:cisco_severity}-%{CISCO_CLASS:cisco_class}[0-9]{3} | |
| # Common Particles | |
| CISCO_ASA_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|received|denied by ACL|discarded|est-allowed|Dropping|dropping|created|deleted|SENDING|RECEIVED|monitored|dropped|terminated|Rejected | |
| CISCO_ASA_REASON AAA failure|Duplicate TCP SYN|TCP Reset\-O|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)* | |
| CISCO_ASA_DIRECTION Inbound|inbound|Outbound|outbound | |
| CISCO_ASA_INTERVAL first hit|%{INT}-second interval | |
| CISCO_ASA_XLATE_TYPE static|dynamic | |
| # ASA-2-106001 | |
| CISCOASA106001 %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ASA_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface} | |
| # ASA-2-106006, ASA-2-106007, ASA-2-106010 | |
| CISCOASA106006_106007_106010 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_user}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_user}\))? (?:on interface %{DATA:interface}|due to %{CISCO_ASA_REASON:reason}) | |
| # ASA-3-106014 | |
| CISCOASA106014 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_user}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\) | |
| # ASA-6-106015 | |
| CISCOASA106015 %{CISCO_ASA_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IPORHOST:src_ip}/%{INT:src_port} to %{IPORHOST:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface} | |
| # ASA-1-106021 | |
| CISCOASA106021 %{CISCO_ASA_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface} | |
| # ASA-4-106023 | |
| CISCOASA106023 %{CISCO_ASA_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_user}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "%{DATA:policy_id}" \[%{DATA:hashcode1}, %{DATA:hashcode2}\] | |
| # ASA-5-106100 | |
| CISCOASA106100 access-list %{WORD:policy_id} %{CISCO_ASA_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_user}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:dst_user}\))? hit-cnt %{INT:hit_count} %{CISCO_ASA_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\] | |
| # ASA-6-110002 | |
| CISCOASA110002 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} | |
| # ASA-5-111008 | |
| CISCOASA111008 User '%{DATA:user}' executed the '%{GREEDYDATA:cmd}' command\. | |
| # ASA-7-111009 | |
| CISCOASA111009 User '%{DATA:user}' executed cmd: %{GREEDYDATA:cmd} | |
| # ASA-5-111010 | |
| CISCOASA111010 User '%{DATA:user}', running '%{WORD:service}' from IP %{IPORHOST:src_ip}, executed '%{GREEDYDATA:cmd}' | |
| # ASA-6-113004 | |
| CISCOASA113004 AAA user authentication Successful : server = \s*%{IPORHOST:server} : user = %{DATA:user} | |
| # ASA-6-113005 | |
| CISCOASA113005 AAA user authentication %{CISCO_ASA_ACTION:action} : reason = %{CISCO_ASA_REASON} : server = %{IPORHOST:server} : user = %{DATA:user} : user IP = %{IP:src_ip} | |
| # ASA-6-302004 | |
| CISCOASA302004 Pre-allocate %{DATA:protocol} backconnection for faddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})? to laddr %{IPORHOST:orig_src_ip}(?:/%{INT:orig_src_port})? | |
| # ASA-6-302010 | |
| CISCOASA302010 %{INT:connection_count} in use, %{INT:connection_count_max} most used | |
| # ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016 | |
| CISCOASA302013_302014_302015_302016 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port}( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_user}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port}( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_user}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_ASA_REASON:reason})?( \(%{DATA:user}\))? | |
| # ASA-6-302020, ASA-6-302021 | |
| CISCOASA302020_302021 %{CISCO_ASA_ACTION:action}(?: %{CISCO_ASA_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IPORHOST:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:user}\))? gaddr %{IPORHOST:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IPORHOST:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))? | |
| # ASA-3-305006 | |
| CISCOASA305006 regular translation creation failed for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?(?: \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? | |
| # ASA-6-305011 | |
| CISCOASA305011 %{CISCO_ASA_ACTION:action} %{CISCO_ASA_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?(\(%{DATA:src_user}\))? to %{DATA:src_xlated_interface}:%{IPORHOST:src_xlated_ip}/%{DATA:src_xlated_port} | |
| # ASA-5-305013 | |
| CISCOASA305013 Asymmetric NAT rules matched for forward and reverse flows; Connection for %{WORD:protocol} src %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? dst %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? %{CISCO_ASA_ACTION:action} due to NAT reverse path failure | |
| # ASA-3-313001, ASA-3-313004, ASA-3-313008 | |
| CISCOASA313001_313004_313008 %{CISCO_ASA_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})? | |
| # ASA-4-313005 | |
| CISCOASA313005 %{CISCO_ASA_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IPORHOST:err_src_ip}(\(%{DATA:err_src_user}\))? dst %{DATA:err_dst_interface}:%{IPORHOST:err_dst_ip}(\(%{DATA:err_dst_user}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src %{IPORHOST:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_user}\))? dst %{IPORHOST:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_user}\))? | |
| # ASA-4-338004, ASA-4-338008 | |
| CISCOASA338004_338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: %{IPORHOST:blacklisted_ip}/%{IPORHOST:blacklisted_netmask}, threat-level: %{DATA:threat_level}, category: %{DATA:category} | |
| # ASA-4-338008 Dynamic Filter %{CISCO_ASA_ACTION:action} blacklisted %{WORD:protocol} traffic from %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})?( \(%{IPORHOST:src_mapped_ip}/%{INT:src_mapped_port}\))? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})?( \(%{IPORHOST:dst_mapped_ip}/%{INT:dst_mapped_port}\))?, destination %{IPORHOST:blacklisted_ip} resolved from local list: 221.204.186.0/255.255.255.0, threat-level: very-high, category: admin-added | |
| # ASA-4-400028 | |
| CISCOASA400028 IDS:3042 TCP FIN only flags from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface} | |
| # ASA-4-400037 | |
| CISCOASA400037 IDS:6053 DNS all records request from %{IPORHOST:src_ip} to %{IPORHOST:dst_ip} on interface %{DATA:interface} | |
| # ASA-4-402117 | |
| CISCOASA402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip} | |
| # ASA-4-402119 | |
| CISCOASA402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking | |
| # ASA-4-405104 | |
| CISCOASA405104 %{WORD:protocol} message %{DATA:voip_message} received from %{IPORHOST:src_ip}(/%{INT:src_port})? %{IPORHOST:dst_ip}(/%{INT:dst_port})? before SETUP | |
| # ASA-4-419001 | |
| CISCOASA419001 %{CISCO_ASA_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason} | |
| # ASA-4-419002 | |
| CISCOASA419002 %{CISCO_ASA_REASON:reason} from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} with different initial sequence number | |
| # ASA-4-500004 | |
| CISCOASA500004 %{CISCO_ASA_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} | |
| # ASA-4-507003 | |
| CISCOASA507003 %{WORD:protocol} flow from %{DATA:src_interface}:%{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{INT:dst_port} %{CISCO_ASA_ACTION:action} by inspection engine, reason - %{DATA:reason}?\. | |
| # ASA-6-602303, ASA-6-602304 | |
| CISCOASA602303_602304 %{WORD:protocol}: An %{CISCO_ASA_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ASA_ACTION:action} | |
| # ASA-6-607001 | |
| CISCOASA607001 Pre-allocate %{GREEDYDATA:protocol} secondary channel for %{DATA:src_interface}:%{IPORHOST:src_ip}(/%{INT:src_port})? to %{DATA:dst_interface}:%{IPORHOST:dst_ip}(/%{INT:dst_port})? from %{DATA:voip_message} message | |
| # ASA-7-609001, ASA-7-609002 | |
| CISCOASA609001_609002 %{CISCO_ASA_ACTION:action} local-host %{DATA:src_interface}:%{IPORHOST:src_ip}(?: duration %{TIME:duration})? | |
| # ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006 | |
| CISCOASA710001_710002_710003_710005_710006_710007 %{WORD:protocol} (?:request|access|keepalive) %{CISCO_ASA_ACTION:action} from %{IPORHOST:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IPORHOST:dst_ip}/%{DATA:dst_port} | |
| # ASA-6-713172 | |
| CISCOASA713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device | |
| # ASA-7-713236 | |
| CISCOASA713236 IP = %{IPORHOST:src_ip}, IKE_DECODE %{CISCO_ASA_ACTION} Message \(msgid=%{DATA:msgid}\) with payloads : %{GREEDYDATA:payload} total length : %{INT:length} | |
| # ASA-5-713257 | |
| CISCOASA713257 Phase %{DATA} failure: Mismatched attribute types for class %{DATA:vpn_class}: Rcv'd: %{DATA:vpn_rcvd} Cfg'd: %{DATA:vpn_cfgd} | |
| # ASA-5-713904 | |
| CISCOASA713904 IP = %{IPORHOST:src_ip}, Received encrypted packet with no matching SA, %{CISCO_ASA_ACTION:action} | |
| # ASA-7-713906 | |
| CISCOASA713906 IKE Receiver: Packet received on %{IPORHOST:dst_ip}:%{INT:dst_port} from %{IPORHOST:src_ip}:%{INT:src_port} | |
| # ASA-7-715046 | |
| CISCOASA715036_715046_715047_715075 Group = %{GREEDYDATA:group},(?: Username = %{DATA:user},)? IP = %{IP:src_ip},%{GREEDYDATA:vpn_action} | |
| # ASA-4-733100 | |
| CISCOASA733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count} | |
| # ASA-6-734001 | |
| CISCOASA734001 DAP: User %{DATA:user}, Addr %{IP:src_ip}, Connection %{DATA:protocol}: The following DAP records were selected for this connection: %{DATA:policy_id} | |
| # ASA-6-737006 | |
| CISCOASA737006 IPAA: Local pool request succeeded for tunnel-group '%{DATA:vpn_group}' | |
| # ASA-6-737016 | |
| CISCOASA737016 IPAA: Freeing local pool address %{IP:src_ip} | |
| # ASA-6-737026 | |
| CISCOASA737026 IPAA: Client assigned %{IP:src_ip} from local pool | |
| # ASA-6-737029 | |
| CISCOASA737029 IPAA: Added %{IP:src_ip} to standby | |
| # ASA-6-737031 | |
| CISCOASA737031 IPAA: Removed %{IP:src_ip} from standby | |
| #== End Cisco ASA == |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment