Unification of various forms of variable for exampla MAC address
I’m facing a problem of various devices logging the same type of variable using different formats - for instance it is possible to find MAC address logged as “3017.c843.e816” (Cisco) or “3017C843E816” (MS DHCP) or “30:17:C8:43:E8:16” or “30-17-C8-43-E8-16”. Having the MAC address appearing in different forms makes it impossible to use the variables in anything that requires comparison (correlation rules) or filtering (reports) of the same value logged by different devices.
Let me give you an example of the following message:
Sep 09 07:07:45 [10.1.2.203] 112562: .Sep 9 07:07:44: PSECURE: Adding 5c26.0a38.2990 as dynamic on port Gi1/0/9 for vlan 124
I tried to write my own message definition, using three separate values fld1, fld2 and fld3 for three blocks of above MAC address and then concatenate them together without dots using STRCAT(fld1,fld2,fld3) - but it doesn't work. I found out that STRCAT function does not work in MESSAGE, only in HEADER, but still cannot find a way to use it.
Can someone post a working example of using STRCAT function other then using it to define MessageID (Windows XML), which is not a case here?
Or maybe there is some other method of "normalization" of various forms of MAC address?
What you do do here is to use a Watchlist of the MAC addresses that you want to compare and then make it regex. You can use this regex expression to match the different formats:
the smiley icon should be a colon followed by a pipe character...don't know how to turn that off.
So, this will match:
We can also put in a request to have a function that would convert them all to one format, but I that will probably take some time to implement.
Hope this helps,