For example, if you selected “mac” as the match type, type the regular expression to be used as the match
pattern. You could use “mac[](.{17})” to search for and match a 17-character MAC address preceded by the
word “mac” plus one space.
6. In the drop-down Set list, select the set type (blacklist or role).
When you select role as the Set type, the system displays a second drop-down list. Click the list to display
the possible choices and select the appropriate role value. Validation on the entered value will be based on
the Set selection.
7. In the drop-down Parser Group list, select one of the configured parser domain names.
Deleting a syslog parser rule
To delete an existing syslog parser rule:
1. Identify the target parser rule in the list shown in the SyslogParserRules view.
2. Click Delete on the same row in the Actions column.
Editing an existing syslog parser rule
To change an existing syslog parser rule:
1. Identify the target parser rule in the list shown in the SyslogParserRules view.
2. Click Edit on the same row in the Actions column. The system displays the attributes for the selected rule
You cannot modify the rule name when editing a parser rule.
3. Change the other rule attributes as required:
a. Click the Enable checkbox to enable the rule.
b. In the Condition Pattern text box, type the regular expression to be used as the condition pattern.
c. In the drop-down Match list, select the match type (ipaddr, mac, or user).
d. In the Match Pattern text box, type the regular expression to be used as the match pattern.
e. In the drop-down Set list, select the set type (blacklist or role).
f. When you select role as the Set type, the system displays a second drop-down list. Click the list to
display the possible choices and select the appropriate role value. Validation on the entered value will be
based on the Set selection.
g. In the drop-down Parser Group list, select one of the configured parser domain names.
At this point, you can test the rule you just edited by using the Test section of the edit rule view. You can also test
rules outside the add or edit processes by using the rule test in the SyslogParserTest view (accessed from the
External Services page by clicking the SyslogParserTest tab, described in Testing a Parser Rule on page 1056.
4. Click Apply to apply the configuration changes.
Testing a Parser Rule
You can test or validate enabled Syslog Parser rules against a sample syslog message, or against a syslog
message file containing multiple syslog messages. Access the parser rules test from the External Services
page by clicking the SyslogParserTest tab, which displays the SyslogParser Rule Test view.
To test against a sample syslog message:
a. In the drop-down Test Type list, select Syslogmessage as the test source type.
b. In the Message text box, type the syslog message text.
c. Click Test to start the test.
AOS-W 6.5.3.x | User Guide External Services Interface | 1056
To Next Page
Loading...