Greeting:
We are processing Cisco ASA firewall log with Log Insight 3.0, we've learned that Cisco ASA can configured two log format:
(1) Default: The severity class field look like '%ASA-6-123456'
(2) EMBLEM: The severity class field look like '%ASA-session-6-123456' where the 'session' string indicate the source component is session.
However using current Cisco ASA Content Pack, it only display Default log format despite the syslog source of ASA firewall send out is EMBLEM format, we hope the content pack can correctly display and process EMBLEM-format log entries instead of only Default format.
We deep-dived Cisco ASA Content Pack, look into Extracted Field' and found the Regex of 'cisco_asa_severity' is '%ASA\-\d\-\d{6}\':` which explain the behavior.
We wish to modify the content pack, add one entry like 'cisco_asa_severity_emblem' as '%ASA\-\S\-\d\-\d${6}\:' in order to correctly display/process EMBLEM log entries, however we have no idea how to modify content pack and add items we expected, can any one kindly advise how we can do it? Thanks in advance.
The following is an example of real EMBLEM log entry:
<134>:Nov 11 10:49:10 HKST: %ASA-session-6-302014: Teardown TCP connection 1452659824 for outside:10.121.10.81/55149 to Server40:10.20.40.222/8080 duration 0:00:00 bytes 741 TCP FINs
---- Jason Tang