Security

Reply
New Contributor

Delimiting in Syslog Export Filters

I did a quick (but not thorough) search before creating the topic. If this has already been discussed, I apologize.

 

Is there any way to change the actual formatting of the syslog events generated by the export filters? I've been experimenting with the various filter types, and the logs generated by the 'session' template don't appear to be well delimited.

 

In the example below you can see that the various attributes are comma-delimited. However the multi-valued attributes ( like roles and enforcement-profiles ) use commas within the attribute to seperate values. This makes the logs really frustrating to parse, and I'd like to change the delimiting if possible.

 

2017-10-11T17:43:12-04:00 cppm.vt.edu 2017-10-11 17:43:12,396 192.0.2.0 session_logs_example 2 1 0 Common.Username=johndoe@vt.edu,Common.Service=MAC - Aruba,Common.Roles=nonsponsored_guest, [User Authenticated],Common.Enforcement-Profiles=[Allow Access Profile], update_nonsponsored_guest, update_from_endpoint,Common.Host-MAC-Address=b853ac61f40e,Common.NAS-IP-Address=192.0.1.0,Common.Request-Timestamp=2017-10-11 17:42:59-04,Common.Login-Status=ACCEPT

Highlighted
Guru Elite

Re: Delimiting in Syslog Export Filters

No, but you can try using CEF or LEEF formatted messages to see if that works better for you.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Delimiting in Syslog Export Filters

I opted to try the 'Insight' templates instead, which appear to be better delimited. If this doesn't work out for us, I'll explore the CEF/LEEF options.

 

Thanks for the assistance

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: