firewall.arista
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
Tags beginning with firewall.arista identify events generated by Arista Edge Threat Management.
Valid tags and data tables
The full tag must have at least 3 levels. The first two are fixed as firewall.arista. The third and fourth levels identify the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Arista NG Firewall |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
How is the data sent to Devo?
You will need to define a relay rule that can correctly identify the event class and apply the corresponding tag. The events are identified by matching a format defined by a regular expression.
The relay rule will be different if the event is a valid JSON or if some elements need to be removed to get the valid JSON.
Note that this parser only accepts a valid JSON as raw message.
Relay rule if you have a valid JSON
Source port | Customer source port, for example |
|---|---|
Source data |
|
Target tag |
|
Target message |
|
Sent without syslog tag | X |
Is prefix | X |
Stop processing | ✓ |
Relay rule if you DON’T have a valid JSON
In this particular example, we have the string uvm[0]: before the JSON. The event looks something like this:
uvm[0]: {...Json...}To get a valid JSON, uvm[0]: must be removed with the following relay rule.
The relay rule must be adapted to each case, not all clients will follow this particular example.
Source port | Customer source port, for example |
|---|---|
Source data |
|
Target tag |
|
Sent without syslog tag | X |
Is prefix | X |
Stop processing | ✓ |
Table structure
This is the set displayed by these tables.