Unification of various forms of variable for exampla MAC address

Discussion created by gmucha on Sep 18, 2011
Latest reply on Sep 22, 2011 by RSA Admin



I’m facing a problem of various devices logging the same type of variable using different formats - for instance it is possible to find MAC address logged as “3017.c843.e816” (Cisco) or “3017C843E816” (MS DHCP) or “30:17:C8:43:E8:16” or “30-17-C8-43-E8-16”. Having the MAC address appearing in different forms makes it impossible to use the variables in anything that requires comparison (correlation rules) or filtering (reports) of the same value logged by different devices.


Let me give you an example of the following message:


Sep 09 07:07:45 [] 112562: .Sep 9 07:07:44: PSECURE: Adding 5c26.0a38.2990 as dynamic on port Gi1/0/9 for vlan 124


 I tried to write my own message definition, using three separate values fld1, fld2 and fld3 for three blocks of above MAC address and then concatenate them together without dots using STRCAT(fld1,fld2,fld3) - but it doesn't work. I found out that STRCAT function does not work in MESSAGE, only in HEADER, but still cannot find a way to use it.


Can someone post a working example of using STRCAT function other then using it to define MessageID (Windows XML), which is not a case here?

Or maybe there is some other method of "normalization" of various forms of MAC address?


Thanks, G.