I am running enVision v4.0 SP 1 Build: 0236. I enabled auditing on some of the firewall rules on a Cisco Pix device type firewall. In the raw syslog, the message IDs are 106100. I've modified the XML for the 106100 message ID and some of the rules parse but others do not.
Modified XML:
<MESSAGE
level="4"
parse="1"
parsedefvalue="1"
tableid="12"
id1="106100:01"
id2="106100"
eventcategory="1801020000"
content="<@inout:*DIRCHK(faddr)> access-list <policy_id> { est-allowed | permitted } <protocol> <finterface>/<faddr>(<fport>
-> <linterface>/<laddr>(<lport> hit-cnt <accountid> ({ first hit | 300-second interval }) [<rule>]<@ntype:1><@action
ermitted> " />
Will parse:
Sep 08 04:06:00 [1.1.1.1] Sep 08 2009 04:05:59 FWhostname : %FWSM-6-106100: access-list Outside_access_in permitted tcp Outside/10.10.122.111(6930) -> Inside/10.229.38.160(1414) hit-cnt 1 (first hit) [0x8428f66f, 0x0]
Sep 08 04:11:07 [1.1.1.1] Sep 08 2009 04:11:07 FWhostname : %FWSM-6-106100: access-list Outside_access_in permitted tcp Outside/10.10.122.111(6930) -> Inside/10.229.38.160(1414) hit-cnt 1 (300-second interval) [0x8428f66f, 0x0]
Will not parse:
Sep 29 06:00:01 [1.1.1.1] Sep 29 2009 06:00:00 FWhostname : %FWSM-6-106100: access-list Inside_access_in permitted udp Inside/10.139.209.201(32769) -> Outside/192.168.182.72(514) hit-cnt 1 (first hit) [0x52eeac13, 0xd08aed13]
Sep 29 06:00:04 [1.1.1.1] Sep 29 2009 06:00:04 FWhostname : %FWSM-6-106100: access-list Outside_access_in permitted udp Outside/10.130.210.12(1050) -> Inside/10.225.74.161(161) hit-cnt 2 (300-second interval) [0xe68f7a3, 0x0]
The attached zip file has the events that will not parse and the XML I am using. Any advice?
