• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

"generic-pix" events vs Cisco RV320 integrated router/firewall

jabawokjayukjabawokjayuk

Entry Level
None of the default plugins will pick up the log format of the RV320 so I have junk events that look like this: 

Data Source ID: 1514
Event Type ID:  20000000000
Source Address: 0.0.0.0
Destination Addr: 0.0.0.0
Source Port: 0
Dest Port: 0

Detail:

[ Unknown plugin sid: 999999 ] Sep 24 09:22:07 ###.###.###.### kernel: #warn<4> Connection Refused - Policy violation: IN=eth0 OUT=ppp1 SRC=###.###.###.### DST=###.###.###.### DMAC=##:##:##:##:##:## SMAC=##:##:##:##:##:## LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=11583 DF PROTO=TCP SPT=38267 DPT=54840 WINDOW=257 RES=0x00 ACK FIN URGP=0

I think I just need to modify the regexp for the cisco-pix.cfg rule file but I have no idea what the format/syntax should be for my target log format?

Any chance of some help?
Is there a standard regexp structure key?

Thanks!
Tagged:

Share post:

This discussion has been closed.