Document toolboxDocument toolbox

firewall.arista

Introduction

Tags beginning with firewall.arista identify events generated by Arista Edge Threat Management.

Valid tags and data tables

The full tag must have at least 3 levels. The first two are fixed as firewall.arista. The third and fourth levels identify the type of events sent.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

firewall

arista

ng_firewall

  • applicationcontrollog

  • captivevportaluser

  • capturerule

  • devicetable

  • firewall

  • hosttable

  • httprequest

  • httpresponse

  • interfacestat

  • intrusionpreventionlog

  • session

  • sessionminute

  • sessionnat

  • sessionstats

  • systemstat

  • threatprevention

  • threatpreventionhttp

  • tunnelstatus

  • virushttp

  • wanfailovertest

  • webfilter

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

firewall.arista.ng_firewall

firewall.arista.ng_firewall

firewall.arista.ng_firewall.applicationcontrollog

firewall.arista.ng_firewall.applicationcontrollog

firewall.arista.ng_firewall.capturerule

firewall.arista.ng_firewall.capturerule

firewall.arista.ng_firewall.devicetable

firewall.arista.ng_firewall.devicetable

firewall.arista.ng_firewall.firewall

firewall.arista.ng_firewall.firewall

firewall.arista.ng_firewall.hosttable

firewall.arista.ng_firewall.hosttable

firewall.arista.ng_firewall.httprequest

firewall.arista.ng_firewall.httprequest

firewall.arista.ng_firewall.httpresponse

firewall.arista.ng_firewall.httpresponse

firewall.arista.ng_firewall.interfacestat

firewall.arista.ng_firewall.interfacestat

firewall.arista.ng_firewall.intrusionpreventionlog

firewall.arista.ng_firewall.intrusionpreventionlog

firewall.arista.ng_firewall.session

firewall.arista.ng_firewall.session

firewall.arista.ng_firewall.sessionminute

firewall.arista.ng_firewall.sessionminute

firewall.arista.ng_firewall.sessionnat

firewall.arista.ng_firewall.sessionnat

firewall.arista.ng_firewall.sessionstats

firewall.arista.ng_firewall.sessionstats

firewall.arista.ng_firewall.systemstat

firewall.arista.ng_firewall.systemstat

firewall.arista.ng_firewall.threatprevention

firewall.arista.ng_firewall.threatprevention

firewall.arista.ng_firewall.threatpreventionhttp

firewall.arista.ng_firewall.threatpreventionhttp

firewall.arista.ng_firewall.tunnelstatus

firewall.arista.ng_firewall.tunnelstatus

firewall.arista.ng_firewall.virushttp

firewall.arista.ng_firewall.virushttp

firewall.arista.ng_firewall.wanfailovertest

firewall.arista.ng_firewall.wanfailovertest

firewall.arista.ng_firewall.webfilter

firewall.arista.ng_firewall.webfilter

How is the data sent to Devo?

You will need to define a relay rule that can correctly identify the event class and apply the corresponding tag. The events are identified by matching a format defined by a regular expression.

The relay rule will be different if the event is a valid JSON or if some elements need to be removed to get the valid JSON.

Note that this parser only accepts a valid JSON as raw message.

Relay rule if you have a valid JSON

Source port

Customer source port, for example 13007

Source data

(class\":.?)([A-Z].?)(Event)

Target tag

firewall.arista.ng_firewall.\\d2

Target message

\\d2\\d3\\d4

Sent without syslog tag

X

Is prefix

X

Stop processing

 

Relay rule if you DON’T have a valid JSON

In this particular example, we have the string uvm[0]: before the JSON. The event looks something like this:

uvm[0]: {...Json...}

To get a valid JSON, uvm[0]: must be removed with the following relay rule.

The relay rule must be adapted to each case, not all clients will follow this particular example.

Source port

Customer source port, for example 13007

Source data

(uvm\[.*\]: )(.*class\":.*?)([A-Z].*?)(Event.*)

Target tag

firewall.arista.ng_firewall.\\d3

Sent without syslog tag

X

Is prefix

X

Stop processing

 

Table structure

This is the set displayed by these tables.