firewall.arista
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
Tags beginning with firewall.arista identify events generated by Arista Edge Threat Management.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed as firewall.arista. The third and fourth levels identify the type of events sent.
Technology | Brand | Type | Subtype |
|---|---|---|---|
firewall | arista | ng_firewall |
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
firewall.arista.ng_firewall | firewall.arista.ng_firewall |
firewall.arista.ng_firewall.applicationcontrollog | firewall.arista.ng_firewall.applicationcontrollog |
firewall.arista.ng_firewall.capturerule | firewall.arista.ng_firewall.capturerule |
firewall.arista.ng_firewall.devicetable | firewall.arista.ng_firewall.devicetable |
firewall.arista.ng_firewall.firewall | firewall.arista.ng_firewall.firewall |
firewall.arista.ng_firewall.hosttable | firewall.arista.ng_firewall.hosttable |
firewall.arista.ng_firewall.httprequest | firewall.arista.ng_firewall.httprequest |
firewall.arista.ng_firewall.httpresponse | firewall.arista.ng_firewall.httpresponse |
firewall.arista.ng_firewall.interfacestat | firewall.arista.ng_firewall.interfacestat |
firewall.arista.ng_firewall.intrusionpreventionlog | firewall.arista.ng_firewall.intrusionpreventionlog |
firewall.arista.ng_firewall.session | firewall.arista.ng_firewall.session |
firewall.arista.ng_firewall.sessionminute | firewall.arista.ng_firewall.sessionminute |
firewall.arista.ng_firewall.sessionnat | firewall.arista.ng_firewall.sessionnat |
firewall.arista.ng_firewall.sessionstats | firewall.arista.ng_firewall.sessionstats |
firewall.arista.ng_firewall.systemstat | firewall.arista.ng_firewall.systemstat |
firewall.arista.ng_firewall.threatprevention | firewall.arista.ng_firewall.threatprevention |
firewall.arista.ng_firewall.threatpreventionhttp | firewall.arista.ng_firewall.threatpreventionhttp |
firewall.arista.ng_firewall.tunnelstatus | firewall.arista.ng_firewall.tunnelstatus |
firewall.arista.ng_firewall.virushttp | firewall.arista.ng_firewall.virushttp |
firewall.arista.ng_firewall.wanfailovertest | firewall.arista.ng_firewall.wanfailovertest |
firewall.arista.ng_firewall.webfilter | firewall.arista.ng_firewall.webfilter |
How is the data sent to Devo?
You will need to define a relay rule that can correctly identify the event class and apply the corresponding tag. The events are identified by matching a format defined by a regular expression.
The relay rule will be different if the event is a valid JSON or if some elements need to be removed to get the valid JSON.
Note that this parser only accepts a valid JSON as raw message.
Relay rule if you have a valid JSON
Source port | Customer source port, for example |
|---|---|
Source data |
|
Target tag |
|
Target message |
|
Sent without syslog tag | X |
Is prefix | X |
Stop processing | ✓ |
Relay rule if you DON’T have a valid JSON
In this particular example, we have the string uvm[0]: before the JSON. The event looks something like this:
uvm[0]: {...Json...}To get a valid JSON, uvm[0]: must be removed with the following relay rule.
The relay rule must be adapted to each case, not all clients will follow this particular example.
Source port | Customer source port, for example |
|---|---|
Source data |
|
Target tag |
|
Sent without syslog tag | X |
Is prefix | X |
Stop processing | ✓ |
Table structure
This is the set displayed by these tables.