In this scenario, several switches (master and local) are defined in the same syslog parser domain to act as
peers. From the standpoint of the ESI servers, because there is no accurate way of determining from which
switch a given user came. Thus, the event is flooded out to all switches defined as peers within this ESI parser
domain. The corresponding switch holding the user entry acts on the event, while other switches ignore the
event.
Syslog Parser Rules
The user creates an ESI rule by using characters and special operators to specify a pattern (regular expression)
that uniquely identifies a certain amount of text within a syslog message. (Regular expression syntax is
described in Understanding Basic Regular Expression (BRE) Syntax on page 1066.) This “condition” defines the
type of message and the ESI domain to which this message pertains. The rule contains three major fields:
n Condition: The pattern that uniquely identifies the syslog message type.
n User: The username identifier. It can be in the form of a name, MAC address, or IP address.
n Action: The action to take when a rule match occurs.
Once a condition match has been made, no further rule-matching will be made. For the rule that matched, only
one action can be defined.
After a condition match has been made, the message is parsed for the user information. This is done by
specifying the target region with the regular expression (REGEX) regex() block syntax. This syntax generates
two blocks: The first block is the matched expression; the second block contains the value inside the
parentheses. For username matching, the focus is on the second block, as it contains the username.
Condition Pattern Matching
The following description uses the Fortigate virus syslog message format as an example to describe condition
pattern matching. The Fortigate virus syslog message takes the form:
Sep2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4
This message example contains the Fortigate virus log ID number 0100030101 (“log_id=0100030101”), which
can be used as the condition—the pattern that uniquely identifies this syslog message.
The parser expression that matches this condition is “log_id=0100030101”. This is a narrow match on the
specific log ID number shown in the message, or “log_id=[0–9]{10}[]” ,which is a regular expression that
matches any Fortigate log entry with a ten-digit log ID followed by a space.
User Pattern Matching
To extract the user identifier in the example Fortigate virus message shown above (“src=1.2.3.4”), use the
following expression, “src=(.*)[]” to parse the user information contained between the parentheses. The ()
block specifies where the username will be extracted. Only the first block will be processed.
More examples:
Given a message wherein the username is a MAC address:
Sep2618:30:02log_id=0100030101type=virussubtype=infectedmac00:aa:bb:cc:dd:00
The expression “mac[](.{17})” will match “mac00:aa:bb:cc:dd:00” in the example message.
Given a message wherein the username is a user name:
Sep2618:30:02log_id=0100030101type=virussubtype=infecteduser<johndoe>
The expression “user<(.*)>” will match “user<johndoe>” in the example message.
AOS-W 6.5.3.x | User Guide External Services Interface | 1050
To Next Page
Loading...