Duration time from Cisco ASA
I have Cisco ASA and raw event like:
%ASA-4-113019: Group = XXX, Username = user, IP = 220.127.116.11, Session disconnected. Session Type: IKEv1, Duration: 3h:01m:44s, Bytes xmt: 26082098, Bytes rcv: 13031692, Reason: User Requested
When this event was parsing I have metakey duration.time = '10904.0'
When I create a report I wish see in the report duration as 3h:01m:44s. How I can do it?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Looking at the Ciscoasa parser then duration is going into the "duration" metakey.
In table-map.xml this is a Float64 so I think there is some conversation that is going on here.
<mapping envisionName="duration" nwName="duration.time" flags="None" format="Float64" failureKey="duration.str"/>
However the failure key here is duration.str so that if it cant be converted then it should go into duration.str.
Let me do some more digging....
In the ASA parser duration is normalized from raw format down to seconds and stores the value in a Float64. This will allow you to do comparisons such as > and <. We could write this into duration.str meta key instead but then you would not be able to do numerical comparisons on the metakey.
What I recommend is that I will write a LUA parser to write into the duration.str string so that the duration.str contains the time you want.
Nice to hear you again. I guess LUA parser for this case is best solution. It give us ability to comparisons and human reading format of datetime for reports.
Thanks you David, your parser is great as usual! I confirm all works correct!
I hope your holiday was great and you full of power for new useful parsers. 🙂
PS: I go to the holiday on the next week. 🙂