Syslog filters for Versa Networks


#1

Hello,

Has any one work with Syslog output from Versa Network's SD-WAND products? I'm working on a POC with Versa and would like to see the output from the SD-WAN devices be ingested into ES via logstash.

The following are sample out puts from the Versa SD-WAN products

Flow Identification Log

2017-11-26T22:42:37+0000 flowIdLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794 , sourceIPv4Address=172.21.1.2, destinationIPv4Address=172.21.2.2, sourcePort=44657, destinationPort=5001, tenantId=1, vsnId=0, applianceId=1, ingressInterfaceName=vni-0/2.0, egressInterfaceName=ptvi-0/43, fromCountry=, toCountry=, protocolIdentifier=6, fromZone=trust, fromUser=unknown, toZone=ptvi, icmpTypeIPv4=0

SDWAN Traffic Monitoring Log

2017-11-26T22:42:38+0000 flowMonLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, vsnId=0, applianceId=1, tenantId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=, appSubFamily=, urlCategory=, rule=catchall, localSiteName=Branch1, fwdEgrSiteName=Branch2, fwdEgrAccCktName=MPLS:MPLS, revIngAccCktName=MPLS, revIngSiteName=, fwdIngSiteName=, fwdIngAccCktName=vni-0/2.0, revEgrSiteName=, revEgrAccCktName=vni-0/2.0

SDWAN SLA Violation Log

2017-11-28T23:12:43+0000 sdwanSlaPathViolLog , applianceName=Site1Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, applianceId=1, tenantId=1, vsnId=0, rule=Rule_Http, localSiteName=Site1Branch1, fromRemoteSiteName=, fromLocalAccCktName=, fromRemoteAccCktName=, toRemoteSiteName=Site3Branch1, toLocalAccCktName=ISPA-Network, toRemoteAccCktName=ISPA-Network, forwardingClass=fc_be, fromPriority=P-0, toPriority=SLA Vio, reason="Violating metrics [Current value(Configured Threshold)]: latency-714(250) loss percentage-12.50(5) "

CGNAT Log

2017-11-26T22:36:31+0000 cgnatLog, applianceName=Site1Branch1, tenantName=Customer1 , observationTimeMilliseconds=2337165310, flowId=33655871, flowCookie=1511734794 , sourceIPv4Address=172.18.101.10, destinationIPv4Address=8.8.8.8, postNATSourceIPv4Address=70.70.5.2, postNATDestinationIPv4Address=8.8.8.8, sourcePort=37190, destinationPort=53, postNAPTsourceTransportPort=45643, postNAPTdestinationTransportPort=53, tenantId=1, vsnId=0, applianceId=0, protocolIdentifier=17, sourceNatPoolName=DIA-Pool-ISPA-Network, destNatPoolName=-, natRuleName=DIA-Rule-Customer1-LAN1-VR-ISPA-Network, natEvent=nat44-sess-create

Firewall Access Log

2017-11-26T22:42:38+0000 accessLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, flowStartMilliseconds=361020099, flowEndMilliseconds=361865221, sentOctets=15000, sentPackets=34, recvdOctets=360, recvdPackets=6, appId=245, eventType=end, tenantId=1, urlCategory=, action=allow, vsnId=0, applianceId=1, appRisk=1, appProductivity=3, appIdStr=iperf, appFamily=networking, appSubFamily=network-management, rule=r1, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, host=

Anti-Virus Log

2017-11-28T22:52:54+0000 avLog, applianceName=Site1Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794 , vsnId=0, applianceId=1, tenantId=1, profileName=scan_http, appIdStr=http, fileName="1", fileType=Portable Document File, fileTransDir=download, avMalwareType=AV_DETECTION_TYPE_VIRUS, avMalwareName=W32/ExploreZip.210432, avAccuracy=AV_DETECTION_ACCURACY_LOW, avAction=reject

IDP Log

2017-11-26T22:37:11+0000 idpLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, signatureId=1000000530, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=1, moduleId=12, signaturePriority=2, idpAction=alert, signatureMsg="Microsoft DNS Server Denial of Service", classMsg="Attempted Denial of Service", threatType=attempted-dos, packetTime=11/26/2017-14:37:11.000000, HitCount=1, ipsProfile=Vulnerablity_Profile, ipsProfileRule=Rule1, ipsDirection=ToClient, ipsProtocol=UDP, ipsApplication=dns

URL Filtering Log

2017-11-26T24:42:38+0000 urlfLog, applianceName=DC1Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794 , vsnId=0, applianceId=1, tenantId=1, urlReputation=trustworthy, urlCategory=business_and_economy, httpUrl=apt.puppetlabs.com/dists/trusty/Release.gpg, urlfProfile=url_profile1, urlfAction=ask, urlfActionMessage=

Thanks
TimW


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.