firewall.arista
Introduction
Tags beginning with firewall.arista
identify events generated by Arista Edge Threat Management.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed as firewall.arista
. The third and fourth levels identify the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Arista NG Firewall |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
How is the data sent to Devo?
You will need to define a relay rule that can correctly identify the event class and apply the corresponding tag. The events are identified by matching a format defined by a regular expression.
The relay rule will be different if the event is a valid JSON or if some elements need to be removed to get the valid JSON.
Note that this parser only accepts a valid JSON as raw message.
Relay rule if you have a valid JSON
Source port | Customer source port, for example |
---|---|
Source data |
|
Target tag |
|
Target message |
|
Sent without syslog tag | X |
Is prefix | X |
Stop processing | ✓ |
Relay rule if you DON’T have a valid JSON
In this particular example, we have the string uvm[0]:
before the JSON. The event looks something like this:
uvm[0]: {...Json...}
To get a valid JSON, uvm[0]:
must be removed with the following relay rule.
The relay rule must be adapted to each case, not all clients will follow this particular example.
Source port | Customer source port, for example |
---|---|
Source data |
|
Target tag |
|
Sent without syslog tag | X |
Is prefix | X |
Stop processing | ✓ |
Table structure
This is the set displayed by these tables.