RSA Admin

UDS Cisco FW Question

Discussion created by RSA Admin Employee on Sep 30, 2009
Latest reply on Jan 10, 2014 by Deepanshu Sood

I am running enVision v4.0 SP 1 Build: 0236.  I enabled auditing on some of the firewall rules on a Cisco Pix device type firewall.  In the raw syslog, the message IDs are 106100.  I've modified the XML for the 106100 message ID and some of the rules parse but others do not.

 

Modified XML:

 

<MESSAGE
  level="4"
  parse="1"
  parsedefvalue="1"
  tableid="12"
  id1="106100:01"
  id2="106100"
  eventcategory="1801020000"
  content="&lt;@inout:*DIRCHK(faddr)&gt; access-list &lt;policy_id&gt; { est-allowed | permitted } &lt;protocol&gt; &lt;finterface&gt;/&lt;faddr&gt;(&lt;fport&gt:smileywink: -&gt; &lt;linterface&gt;/&lt;laddr&gt;(&lt;lport&gt:smileywink: hit-cnt &lt;accountid&gt; ({ first hit | 300-second interval }) [&lt;rule&gt;]&lt;@ntype:1&gt;&lt;@action:smileytongue:ermitted&gt; " />

 

Will parse: 

Sep 08 04:06:00 [1.1.1.1] Sep 08 2009 04:05:59 FWhostname : %FWSM-6-106100: access-list Outside_access_in permitted tcp Outside/10.10.122.111(6930) -> Inside/10.229.38.160(1414) hit-cnt 1 (first hit) [0x8428f66f, 0x0]

Sep 08 04:11:07 [1.1.1.1] Sep 08 2009 04:11:07 FWhostname : %FWSM-6-106100: access-list Outside_access_in permitted tcp Outside/10.10.122.111(6930) -> Inside/10.229.38.160(1414) hit-cnt 1 (300-second interval) [0x8428f66f, 0x0]

 

Will not parse:

 

Sep 29 06:00:01 [1.1.1.1] Sep 29 2009 06:00:00 FWhostname : %FWSM-6-106100: access-list Inside_access_in permitted udp Inside/10.139.209.201(32769) -> Outside/192.168.182.72(514) hit-cnt 1 (first hit) [0x52eeac13, 0xd08aed13]


Sep 29 06:00:04 [1.1.1.1] Sep 29 2009 06:00:04 FWhostname : %FWSM-6-106100: access-list Outside_access_in permitted udp Outside/10.130.210.12(1050) -> Inside/10.225.74.161(161) hit-cnt 2 (300-second interval) [0xe68f7a3, 0x0]

 

The attached zip file has the events that will not parse and the XML I am using.  Any advice?

Attachments

Outcomes