Cisco Ace parser.

FREDRIK HABORN · ‎02-09-2010

Is there anyone who has an custom parser for Cisco ACE ?.

Can't understand why it isn't included by default as supported device in Cisco MARS.

mbeaver · ‎04-20-2010

I can say why.

I requested something for Cisco ACS 5.1, something that would, one would hope, be included in their Security monitoring suite of supported apps.

They submitted a bug about not having and was literally closed due to being able to "add a custom parser" so in short Cisco is telling it's customers to go pound sand and do it yourself we're too lazy to support our products inter-operability.

I've now got to go and create one for it with the piss-poor documentation they have for it and the logs for ACS 5.1

Good luck getting help with your ACE, We were planning on moving to those as well in the coming months, but this will definately have an affect on that decision.

FREDRIK HABORN · ‎04-22-2010

Hi.

I'm trying to make an custom parser for ACE logs.

And it works fine except denied icmp traffic, The problem is the event-id is the same in ACE (%ACE-4-106023).

The parser check for protocol type and src ip,src port and so on. Icmp however is logged without src port (pretty obvius) but the parser breaks if it dosn't get an src port.

%ACE-4-106023: Deny icmp src vlanx:x.x.x.x dst undetermined:y.y.y.y (type 11, code 0) by access-group "access-list" [0x20c017d8, 0x0]

%ACE-4-106023: Deny udp src vlanx:x.x.x.x/6155 dst undetermined:y.y.y.y/6155 by access-group "access-list" [0xffffffff, 0x0]

So what i am missing in my parser is an "IF proto=ICMP don't match src&dst ports".

Any ideas how i can make this work.

davtownsend · ‎08-16-2010

Fredrik,

Did you ever get the your parser to work for the ACE? If so would you mind sharing it? We have a need to send ACE logs to the MARS and would like not to start from scratch.

Thanks
Dave

David Niemann · ‎11-13-2013

I'd like this too. My MARS is still going strong and I intend to keep it until support runs out. Trying to get ACE logs to it.