[Dshield] Question about the cisco log parser

Wayne Larmon wlarmon at dshield.org
Sat Jul 20 03:01:57 GMT 2002


> Hi,
>
> I've recently added a PIX 10k to our boundary and I was wondering if I
> config syslog so that both the PIX and my cisco routers log to the same
> file, can the cisco.pl script parse the combined file without barfing ?

It *should.*  When I was last working on the Cisco parser, several months
ago, I consolidated all our existing Cisco parsers into one cisco.pl parser.
There is a series of regexs that tries to match all the variations of Cisco
sample logs that we have collected.

So, try cisco.tar.gz from the Framework page.
(http://www.dshield.org/framework.html)   Let me know if it doesn't work for
you.    Preferably by sending me sample log lines for the lines that don't
convert.

Wayne Larmon
wlarmon at dshield.org





More information about the list mailing list