Skip to content

Instantly share code, notes, and snippets.

@adriansr
Created April 21, 2020 08:50
Show Gist options
  • Save adriansr/37911fc3cb5d57ee4c205a424ba192a0 to your computer and use it in GitHub Desktop.
Save adriansr/37911fc3cb5d57ee4c205a424ba192a0 to your computer and use it in GitHub Desktop.
This file has been truncated, but you can view the full file.
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.
var processor = require("processor");
var console = require("console");
var device;
// Register params from configuration.
function register(params) {
device = new DeviceProcessor();
}
function process(evt) {
return device.process(evt);
}
function DeviceProcessor() {
var builder = new processor.Chain();
builder.Add(save_flags);
builder.Add(chain1);
builder.Add(restore_flags);
var chain = builder.Build();
return {
process: chain.Run,
}
}
var map_srcDirName = {
keyvaluepairs: {
"0": dup2456,
"1": dup2455,
},
};
var map_dstDirName = {
keyvaluepairs: {
"0": dup2455,
"1": dup2456,
},
};
var map_dir2SumType = {
keyvaluepairs: {
"0": constant("2"),
"1": constant("3"),
},
"default": constant("0"),
};
var map_dir2Address = {
keyvaluepairs: {
"0": field("saddr"),
"1": field("daddr"),
},
"default": field("saddr"),
};
var map_dir2Port = {
keyvaluepairs: {
"0": field("sport"),
"1": field("dport"),
},
"default": field("sport"),
};
var dup0 = set_field({
dest: "nwparser.messageid",
value: constant("CISCOASA_GENERIC"),
});
var dup1 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1801010100"),
});
var dup2 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("402102"),
});
var dup3 = match({
dissect: {
tokenizer: "Group policy deleted: name:%{p0}",
field: "nwparser.payload",
},
});
var dup4 = linear_select([
match({
dissect: {
tokenizer: " '%{username}' %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup5 = match({
dissect: {
tokenizer: " Type:%{fld1}",
field: "nwparser.p1",
},
});
var dup6 = set_field({
dest: "nwparser.eventcategory",
value: constant("1502040000"),
});
var dup7 = set_field({
dest: "nwparser.msg_id1",
value: constant("502112"),
});
var dup8 = match({
dissect: {
tokenizer: "PPTP Tunnel created, tunnel_id is %{fld1}, remote_peer_ip is %{saddr}, ppp_virtual_interface_id is %{fld2}, client_dynamic_ip is %{daddr}, username is %{p0}",
field: "nwparser.payload",
},
});
var dup9 = match({
dissect: {
tokenizer: ", MPPE_key_strength is %{fld3}",
field: "nwparser.p1",
},
});
var dup10 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801020100"),
});
var dup11 = set_field({
dest: "nwparser.msg_id1",
value: constant("603104"),
});
var dup12 = match({
dissect: {
tokenizer: "Group = %{group}, Username = %{p0}",
field: "nwparser.payload",
},
});
var dup13 = match({
dissect: {
tokenizer: ", IP = %{saddr}, Tunnel Rejected: %{action}",
field: "nwparser.p1",
},
});
var dup14 = set_field({
dest: "nwparser.eventcategory",
value: constant("1605000000"),
});
var dup15 = set_field({
dest: "nwparser.msg_id1",
value: constant("713060"),
});
var dup16 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1801000000"),
});
var dup17 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713121"),
});
var dup18 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1701020000"),
});
var dup19 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("715058"),
});
var dup20 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1606000000"),
});
var dup21 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("199009:01"),
});
var dup22 = match({
dissect: {
tokenizer: "Reloaded at %{event_time_string} by %{p0}",
field: "nwparser.payload",
},
});
var dup23 = match({
dissect: {
tokenizer: " from %{process}. Reload reason: %{p2}",
field: "nwparser.p1",
},
});
var dup24 = linear_select([
match({
dissect: {
tokenizer: " [%{result}] %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{result} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup25 = set_field({
dest: "nwparser.eventcategory",
value: constant("1606000000"),
});
var dup26 = set_field({
dest: "nwparser.msg_id1",
value: constant("199009"),
});
var dup27 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1001030305"),
});
var dup28 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("415006"),
});
var dup29 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1605000000"),
});
var dup30 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("714001"),
});
var dup31 = linear_select([
match({
dissect: {
tokenizer: " Group = %{group}, Username = '%{username}', IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Group = %{group}, Username = %{username}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup32 = match({
dissect: {
tokenizer: ", %{action}: msg id = %{fld1}",
field: "nwparser.p0",
},
});
var dup33 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801000000"),
});
var dup34 = set_field({
dest: "nwparser.msg_id1",
value: constant("714005"),
});
var dup35 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("715068"),
});
var dup36 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("113039"),
});
var dup37 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713273"),
});
var dup38 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713273:01"),
});
var dup39 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713273:02"),
});
var dup40 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("714004"),
});
var dup41 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1605020000"),
});
var dup42 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("714004:01"),
});
var dup43 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1805010000"),
});
var dup44 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("110001"),
});
var dup45 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1603000000"),
});
var dup46 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("751025"),
});
var dup47 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1603110000"),
});
var dup48 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("105038"),
});
var dup49 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1805020000"),
});
var dup50 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("318008"),
});
var dup51 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("711001"),
});
var dup52 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713240"),
});
var dup53 = linear_select([
match({
dissect: {
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Username = %{username}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup54 = match({
dissect: {
tokenizer: ", %{action} history (%{fld1})",
field: "nwparser.p0",
},
});
var dup55 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801010100"),
});
var dup56 = set_field({
dest: "nwparser.msg_id1",
value: constant("715065"),
});
var dup57 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("718021"),
});
var dup58 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1701000000"),
});
var dup59 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("721003"),
});
var dup60 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("103003"),
});
var dup61 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1803000000"),
});
var dup62 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("429002"),
});
var dup63 = match({
dissect: {
tokenizer: "Group \u003c\u003c %{group} \u003e User %{p0}",
field: "nwparser.payload",
},
});
var dup64 = linear_select([
match({
dissect: {
tokenizer: " \u003c\u003c%{username}\u003e %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " '%{username}' %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup65 = match({
dissect: {
tokenizer: " IP \u003c\u003c %{p2}",
field: "nwparser.p1",
},
});
var dup66 = linear_select([
match({
dissect: {
tokenizer: " %{saddr} (%{fld1}) %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{saddr} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup67 = match({
dissect: {
tokenizer: " \u003e SVC closing connection: %{info}.",
field: "nwparser.p3",
},
});
var dup68 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801030100"),
});
var dup69 = set_field({
dest: "nwparser.msg_id1",
value: constant("722037"),
});
var dup70 = match({
dissect: {
tokenizer: "AAA user %{p0}",
field: "nwparser.payload",
},
});
var dup71 = linear_select([
match({
dissect: {
tokenizer: " authentication %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " authorization %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup72 = match({
dissect: {
tokenizer: " Rejected : reason = %{result} : server = %{p2}",
field: "nwparser.p1",
},
});
var dup73 = linear_select([
match({
dissect: {
tokenizer: " %{hostip} : %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{hostip}, %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup74 = match({
dissect: {
tokenizer: " %{p4}",
field: "nwparser.p3",
},
});
var dup75 = linear_select([
match({
dissect: {
tokenizer: " User %{p5}",
field: "nwparser.p4",
},
}),
match({
dissect: {
tokenizer: " user %{p5}",
field: "nwparser.p4",
},
}),
]);
var dup76 = match({
dissect: {
tokenizer: " = %{p6}",
field: "nwparser.p5",
},
});
var dup77 = linear_select([
match({
dissect: {
tokenizer: " '%{username}' %{p7}",
field: "nwparser.p6",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p7}",
field: "nwparser.p6",
},
}),
]);
var dup78 = match({
dissect: {
tokenizer: " : %{p8}",
field: "nwparser.p7",
},
});
var dup79 = linear_select([
match({
dissect: {
tokenizer: "user IP%{p9}",
field: "nwparser.p8",
},
}),
match({
dissect: {
tokenizer: "User IP%{p9}",
field: "nwparser.p8",
},
}),
]);
var dup80 = match({
dissect: {
tokenizer: " = %{saddr}",
field: "nwparser.p9",
},
});
var dup81 = set_field({
dest: "nwparser.eventcategory",
value: constant("1301000000"),
});
var dup82 = set_field({
dest: "nwparser.msg_id1",
value: constant("113005:01"),
});
var dup83 = set_field({
dest: "nwparser.msg_id1",
value: constant("113005"),
});
var dup84 = match({
dissect: {
tokenizer: "AAA transaction status %{disposition} : user = %{p0}",
field: "nwparser.payload",
},
});
var dup85 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401060000"),
});
var dup86 = set_field({
dest: "nwparser.msg_id1",
value: constant("113008"),
});
var dup87 = linear_select([
match({
dissect: {
tokenizer: " FWSM console %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " PIX console %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Console %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup88 = match({
dissect: {
tokenizer: " enable password incorrect for %{fld1} tries (from %{hostip})",
field: "nwparser.p0",
},
});
var dup89 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401050200"),
});
var dup90 = set_field({
dest: "nwparser.msg_id1",
value: constant("308001"),
});
var dup91 = match({
dissect: {
tokenizer: "Fail to establish SSH session because%{p0}",
field: "nwparser.payload",
},
});
var dup92 = linear_select([
match({
dissect: {
tokenizer: " PIX RSA host key retrieval failed.%{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "%{space}RSA host key retrieval failed.%{p1}",
field: "nwparser.p0",
},
}),
]);
var dup93 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603000000"),
});
var dup94 = set_field({
dest: "nwparser.msg_id1",
value: constant("315004"),
});
var dup95 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("338308"),
});
var dup96 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713905:04"),
});
var dup97 = match({
dissect: {
tokenizer: ", IP = %{saddr}, %{event_description}",
field: "nwparser.p1",
},
});
var dup98 = set_field({
dest: "nwparser.msg_id1",
value: constant("713905"),
});
var dup99 = linear_select([
match({
dissect: {
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup100 = match({
dissect: {
tokenizer: ", %{p1}",
field: "nwparser.p0",
},
});
var dup101 = linear_select([
match({
dissect: {
tokenizer: "%{event_description} from %{fld1} port %{sport} to %{daddr} port %{dport} %{p2}",
field: "nwparser.p1",
},
}),
match({
dissect: {
tokenizer: " %{event_description}%{p2}",
field: "nwparser.p1",
},
}),
]);
var dup102 = set_field({
dest: "nwparser.msg_id1",
value: constant("713905:01"),
});
var dup103 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713905:02"),
});
var dup104 = match({
dissect: {
tokenizer: "Username = %{p0}",
field: "nwparser.payload",
},
});
var dup105 = set_field({
dest: "nwparser.msg_id1",
value: constant("713905:03"),
});
var dup106 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1613030100"),
});
var dup107 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("717004"),
});
var dup108 = match({
dissect: {
tokenizer: "Auth start for user %{p0}",
field: "nwparser.payload",
},
});
var dup109 = match({
dissect: {
tokenizer: " from %{saddr}/%{sport} to %{daddr}/%{dport}",
field: "nwparser.p1",
},
});
var dup110 = set_field({
dest: "nwparser.eventcategory",
value: constant("1304000000"),
});
var dup111 = set_field({
dest: "nwparser.msg_id1",
value: constant("109001"),
});
var dup112 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("199003"),
});
var dup113 = match({
dissect: {
tokenizer: "New user added to local dbase: Uname: %{p0}",
field: "nwparser.payload",
},
});
var dup114 = match({
dissect: {
tokenizer: " Priv: %{fld1} Encpass: %{fld2}",
field: "nwparser.p1",
},
});
var dup115 = set_field({
dest: "nwparser.eventcategory",
value: constant("1402020200"),
});
var dup116 = set_field({
dest: "nwparser.msg_id1",
value: constant("502101"),
});
var dup117 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("717047"),
});
var dup118 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("109022"),
});
var dup119 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("305009"),
});
var dup120 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("332004"),
});
var dup121 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1501000000"),
});
var dup122 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("611303"),
});
var dup123 = linear_select([
match({
dissect: {
tokenizer: "Mate%{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: "%{info} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup124 = linear_select([
match({
dissect: {
tokenizer: "Matehas a %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "%{space}has a %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup125 = set_field({
dest: "nwparser.eventcategory",
value: constant("1603010000"),
});
var dup126 = set_field({
dest: "nwparser.msg_id1",
value: constant("105047"),
});
var dup127 = match({
dissect: {
tokenizer: "Group \u003c\u003c%{group}\u003e User %{p0}",
field: "nwparser.payload",
},
});
var dup128 = match({
dissect: {
tokenizer: " IP \u003c\u003c%{saddr}\u003e %{network_service} Java applet started. %{info}.",
field: "nwparser.p1",
},
});
var dup129 = set_field({
dest: "nwparser.msg_id1",
value: constant("716043"),
});
var dup130 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("720040"),
});
var dup131 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1604000000"),
});
var dup132 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("721002"),
});
var dup133 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("104003"),
});
var dup134 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("746006"),
});
var dup135 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1501020000"),
});
var dup136 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("731001"),
});
var dup137 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1002000000"),
});
var dup138 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("404102"),
});
var dup139 = linear_select([
match({
dissect: {
tokenizer: " PDM %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " ASDM %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup140 = match({
dissect: {
tokenizer: " session number %{sessionid} from %{hostip} started",
field: "nwparser.p0",
},
});
var dup141 = set_field({
dest: "nwparser.eventcategory",
value: constant("1401050100"),
});
var dup142 = set_field({
dest: "nwparser.msg_id1",
value: constant("606001"),
});
var dup143 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("613003"),
});
var dup144 = linear_select([
match({
dissect: {
tokenizer: " Group = %{group}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Username = '%{username}', IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Username = %{username}, IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " IP = %{saddr} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup145 = match({
dissect: {
tokenizer: ", IKE Initiator: %{p1}",
field: "nwparser.p0",
},
});
var dup146 = linear_select([
match({
dissect: {
tokenizer: " Rekeying %{p2}",
field: "nwparser.p1",
},
}),
match({
dissect: {
tokenizer: " New %{p2}",
field: "nwparser.p1",
},
}),
]);
var dup147 = match({
dissect: {
tokenizer: " Phase %{p3}",
field: "nwparser.p2",
},
});
var dup148 = linear_select([
match({
dissect: {
tokenizer: " 1 %{p4}",
field: "nwparser.p3",
},
}),
match({
dissect: {
tokenizer: " 2 %{p4}",
field: "nwparser.p3",
},
}),
]);
var dup149 = match({
dissect: {
tokenizer: ", Intf %{fld1}, IKE Peer %{fld2} %{info}",
field: "nwparser.p4",
},
});
var dup150 = set_field({
dest: "nwparser.msg_id1",
value: constant("713041"),
});
var dup151 = match({
dissect: {
tokenizer: "IKE Initiator: %{p0}",
field: "nwparser.payload",
},
});
var dup152 = linear_select([
match({
dissect: {
tokenizer: " Rekeying %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " New %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup153 = match({
dissect: {
tokenizer: " Phase 2, Intf %{fld1}, IKE Peer %{fld2} %{info}",
field: "nwparser.p1",
},
});
var dup154 = set_field({
dest: "nwparser.msg_id1",
value: constant("713041:01"),
});
var dup155 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("718046"),
});
var dup156 = match({
dissect: {
tokenizer: "%{process}:%{p0}",
field: "nwparser.payload",
},
});
var dup157 = linear_select([
match({
dissect: {
tokenizer: " Session=%{sessionid}, Added %{hostip} to standby %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " Added %{hostip} to standby %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup158 = set_field({
dest: "nwparser.msg_id1",
value: constant("737029"),
});
var dup159 = linear_select([
match({
dissect: {
tokenizer: " authentication %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " authorization %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " accounting %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup160 = match({
dissect: {
tokenizer: " Successful : server = %{hostip} : user = %{p2}",
field: "nwparser.p1",
},
});
var dup161 = linear_select([
match({
dissect: {
tokenizer: " '%{username}' %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup162 = set_field({
dest: "nwparser.msg_id1",
value: constant("113004"),
});
var dup163 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("324001"),
});
var dup164 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("403501"),
});
var dup165 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713177"),
});
var dup166 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1401050100"),
});
var dup167 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("309002"),
});
var dup168 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1001020100"),
});
var dup169 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("400015"),
});
var dup170 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1002020000"),
});
var dup171 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("400031"),
});
var dup172 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("733103"),
});
var dup173 = linear_select([
match({
dissect: {
tokenizer: " '%{username}' %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup174 = match({
dissect: {
tokenizer: "@%{saddr} Accessed %{p1}",
field: "nwparser.p0",
},
});
var dup175 = linear_select([
match({
dissect: {
tokenizer: " JAVA URL %{p2}",
field: "nwparser.p1",
},
}),
match({
dissect: {
tokenizer: " URL %{p2}",
field: "nwparser.p1",
},
}),
]);
var dup176 = match({
dissect: {
tokenizer: " %{daddr}: %{url}",
field: "nwparser.p2",
},
});
var dup177 = set_field({
dest: "nwparser.eventcategory",
value: constant("1204010000"),
});
var dup178 = set_field({
dest: "nwparser.msg_id1",
value: constant("304001"),
});
var dup179 = match({
dissect: {
tokenizer: "%{saddr} Accessed %{p0}",
field: "nwparser.payload",
},
});
var dup180 = linear_select([
match({
dissect: {
tokenizer: " JAVA URL %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " URL %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup181 = match({
dissect: {
tokenizer: " %{daddr}: %{url}",
field: "nwparser.p1",
},
});
var dup182 = set_field({
dest: "nwparser.msg_id1",
value: constant("304001:01"),
});
var dup183 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1303000000"),
});
var dup184 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("109021"),
});
var dup185 = match({
dissect: {
tokenizer: "Login permitted from %{saddr}/%{sport} to %{dinterface}:%{daddr}/%{service} for user %{p0}",
field: "nwparser.payload",
},
});
var dup186 = linear_select([
match({
dissect: {
tokenizer: " \u003c\u003c%{username}\u003e %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " \"%{username}\" %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " '%{username}' %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup187 = set_field({
dest: "nwparser.msg_id1",
value: constant("605005"),
});
var dup188 = match({
dissect: {
tokenizer: "%{result} for user %{p0}",
field: "nwparser.payload",
},
});
var dup189 = set_field({
dest: "nwparser.msg_id1",
value: constant("605005:01"),
});
var dup190 = match({
dissect: {
tokenizer: "Removing v1 %{p0}",
field: "nwparser.payload",
},
});
var dup191 = linear_select([
match({
dissect: {
tokenizer: " primary %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " secondary %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup192 = match({
dissect: {
tokenizer: " PDP Context with TID %{fld1} from GGSN %{fld2} and SGSN %{fld3}, Reason: %{event_description}",
field: "nwparser.p1",
},
});
var dup193 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701000000"),
});
var dup194 = set_field({
dest: "nwparser.msg_id1",
value: constant("617002"),
});
var dup195 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("617002:01"),
});
var dup196 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("715050"),
});
var dup197 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("737019"),
});
var dup198 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("737019:01"),
});
var dup199 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1207010200"),
});
var dup200 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("108003"),
});
var dup201 = match({
dissect: {
tokenizer: "Terminating %{network_service} connection; malicious pattern detected in the %{space} mail address from %{sinterface}:%{saddr}/%{sport} to %{dinterface}:%{daddr}/%{dport}. %{p0}",
field: "nwparser.payload",
},
});
var dup202 = linear_select([
match({
dissect: {
tokenizer: " Mail Address %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " Data %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup203 = match({
dissect: {
tokenizer: " :%{result}",
field: "nwparser.p1",
},
});
var dup204 = set_field({
dest: "nwparser.eventcategory",
value: constant("1207010200"),
});
var dup205 = set_field({
dest: "nwparser.msg_id1",
value: constant("108003:01"),
});
var dup206 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("108006"),
});
var dup207 = match({
dissect: {
tokenizer: "%{service}: An %{direction} SA (SPI= %{fld1}) between %{saddr} and %{daddr} %{p0}",
field: "nwparser.payload",
},
});
var dup208 = linear_select([
match({
dissect: {
tokenizer: " (user=%{username}) %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " (%{username}) %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " '%{username}' %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup209 = match({
dissect: {
tokenizer: " %{action}",
field: "nwparser.p1",
},
});
var dup210 = set_field({
dest: "nwparser.msg_id1",
value: constant("602304"),
});
var dup211 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("105020"),
});
var dup212 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("602102"),
});
var dup213 = match({
dissect: {
tokenizer: ", IP = %{saddr} , %{p2}",
field: "nwparser.p1",
},
});
var dup214 = linear_select([
match({
dissect: {
tokenizer: "%{event_description} duration from %{fld1} to %{fld2} seconds%{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: "%{event_description}%{p3}",
field: "nwparser.p2",
},
}),
]);
var dup215 = set_field({
dest: "nwparser.eventcategory",
value: constant("1613040200"),
});
var dup216 = set_field({
dest: "nwparser.msg_id1",
value: constant("713075"),
});
var dup217 = match({
dissect: {
tokenizer: "Group = %{group}, IP = %{saddr} ,%{p0}",
field: "nwparser.payload",
},
});
var dup218 = linear_select([
match({
dissect: {
tokenizer: "%{event_description} from %{fld1} to %{fld2} seconds %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "%{event_description}%{p1}",
field: "nwparser.p0",
},
}),
]);
var dup219 = set_field({
dest: "nwparser.msg_id1",
value: constant("713075:01"),
});
var dup220 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1304000000"),
});
var dup221 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("717025"),
});
var dup222 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1801020000"),
});
var dup223 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("722034"),
});
var dup224 = linear_select([
match({
dissect: {
tokenizer: " %{saddr} (%{fld1})\u003e %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{saddr}\u003e %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup225 = match({
dissect: {
tokenizer: " Received large packet %{bytes} (%{info}).",
field: "nwparser.p3",
},
});
var dup226 = set_field({
dest: "nwparser.msg_id1",
value: constant("722035"),
});
var dup227 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1001030200"),
});
var dup228 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("406002"),
});
var dup229 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("620002:01"),
});
var dup230 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("620002"),
});
var dup231 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("752015"),
});
var dup232 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1701070000"),
});
var dup233 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("611319"),
});
var dup234 = match({
dissect: {
tokenizer: "New group policy added: name:%{p0}",
field: "nwparser.payload",
},
});
var dup235 = set_field({
dest: "nwparser.eventcategory",
value: constant("1502030000"),
});
var dup236 = set_field({
dest: "nwparser.msg_id1",
value: constant("502111"),
});
var dup237 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("611322"),
});
var dup238 = match({
dissect: {
tokenizer: "%{process}: %{p0}",
field: "nwparser.payload",
},
});
var dup239 = linear_select([
match({
dissect: {
tokenizer: "Session=%{sessionid}, Freeing%{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " Freeing%{p1}",
field: "nwparser.p0",
},
}),
]);
var dup240 = match({
dissect: {
tokenizer: " DHCP address %{hostip}",
field: "nwparser.p1",
},
});
var dup241 = set_field({
dest: "nwparser.msg_id1",
value: constant("737015"),
});
var dup242 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("400001"),
});
var dup243 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1603020000"),
});
var dup244 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("210022"),
});
var dup245 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("415001"),
});
var dup246 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("506001"),
});
var dup247 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("720021"),
});
var dup248 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("201001"),
});
var dup249 = match({
dissect: {
tokenizer: "Dynamic %{p0}",
field: "nwparser.payload",
},
});
var dup250 = linear_select([
match({
dissect: {
tokenizer: " Filter %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " filter %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup251 = match({
dissect: {
tokenizer: " dropped blacklisted %{protocol} traffic from %{sinterface}:%{saddr}/%{sport} (%{stransaddr}/%{stransport}) to %{dinterface}:%{daddr}/%{dport} (%{dtransaddr}/%{dtransport}), destination %{fld1} resolved from %{fld2} list:%{fld3}/%{mask} threat-level: %{severity}, category: %{result}",
field: "nwparser.p1",
},
});
var dup252 = set_field({
dest: "nwparser.msg_id1",
value: constant("338008"),
});
var dup253 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1001030300"),
});
var dup254 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("405002"),
});
var dup255 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("444102"),
});
var dup256 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1501040000"),
});
var dup257 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("109024"),
});
var dup258 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1803010000"),
});
var dup259 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("106016"),
});
var dup260 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("106016:01"),
});
var dup261 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1607000000"),
});
var dup262 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("338310"),
});
var dup263 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("720046"),
});
var dup264 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("737003:01"),
});
var dup265 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("737003"),
});
var dup266 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("737026"),
});
var dup267 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("737026:01"),
});
var dup268 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1702030000"),
});
var dup269 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("105040"),
});
var dup270 = match({
dissect: {
tokenizer: "Authentication failed for admin user %{p0}",
field: "nwparser.payload",
},
});
var dup271 = match({
dissect: {
tokenizer: " from %{saddr}. Interactive challenge processing is not supported for %{p2}",
field: "nwparser.p1",
},
});
var dup272 = linear_select([
match({
dissect: {
tokenizer: " administrative %{protocol} %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{protocol} %{info} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup273 = match({
dissect: {
tokenizer: " connections%{}",
field: "nwparser.p3",
},
});
var dup274 = set_field({
dest: "nwparser.msg_id1",
value: constant("109033:01"),
});
var dup275 = match({
dissect: {
tokenizer: " from %{saddr}.",
field: "nwparser.p1",
},
});
var dup276 = set_field({
dest: "nwparser.msg_id1",
value: constant("109033"),
});
var dup277 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("720063"),
});
var dup278 = match({
dissect: {
tokenizer: "access-list %{listnum} denied %{p0}",
field: "nwparser.payload",
},
});
var dup279 = linear_select([
match({
dissect: {
tokenizer: "%{protocol} for user '%{username}' %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "%{protocol} %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup280 = match({
dissect: {
tokenizer: "%{sinterface}/%{p2}",
field: "nwparser.p1",
},
});
var dup281 = linear_select([
match({
dissect: {
tokenizer: "%{saddr}(%{sport}) -\u003e %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: "%{saddr} %{sport} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup282 = match({
dissect: {
tokenizer: "%{dinterface}/%{p4}",
field: "nwparser.p3",
},
});
var dup283 = linear_select([
match({
dissect: {
tokenizer: "%{daddr}(%{dport}) hit-cnt %{p5}",
field: "nwparser.p4",
},
}),
match({
dissect: {
tokenizer: "%{daddr} %{dport} hit-cnt %{p5}",
field: "nwparser.p4",
},
}),
]);
var dup284 = match({
dissect: {
tokenizer: "%{dclass_counter1} %{info}",
field: "nwparser.p5",
},
});
var dup285 = set_field({
dest: "nwparser.eventcategory",
value: constant("1803000000"),
});
var dup286 = set_field({
dest: "nwparser.msg_id1",
value: constant("106102:02"),
});
var dup287 = match({
dissect: {
tokenizer: "access-list %{listnum} permitted %{p0}",
field: "nwparser.payload",
},
});
var dup288 = set_field({
dest: "nwparser.eventcategory",
value: constant("1801020000"),
});
var dup289 = set_field({
dest: "nwparser.msg_id1",
value: constant("106102:01"),
});
var dup290 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("106102"),
});
var dup291 = match({
dissect: {
tokenizer: "AAA group policy for user %{p0}",
field: "nwparser.payload",
},
});
var dup292 = match({
dissect: {
tokenizer: " is being set to %{p2}",
field: "nwparser.p1",
},
});
var dup293 = linear_select([
match({
dissect: {
tokenizer: " %{policyname}. %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{policyname} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup294 = set_field({
dest: "nwparser.msg_id1",
value: constant("113003"),
});
var dup295 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("709006"),
});
var dup296 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("725011"),
});
var dup297 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("105034"),
});
var dup298 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("105034:01"),
});
var dup299 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("305004"),
});
var dup300 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("311004"),
});
var dup301 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("400020"),
});
var dup302 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("718005"),
});
var dup303 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("750007"),
});
var dup304 = match({
dissect: {
tokenizer: "Rebuilt %{protocol} connection %{connectionid} for %{p0}",
field: "nwparser.payload",
},
});
var dup305 = linear_select([
match({
dissect: {
tokenizer: " faddr %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " foreign_address %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup306 = match({
dissect: {
tokenizer: " %{saddr}/%{sport} %{p2}",
field: "nwparser.p1",
},
});
var dup307 = linear_select([
match({
dissect: {
tokenizer: " gaddr %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " global_address %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup308 = match({
dissect: {
tokenizer: " %{hostip}/%{network_port} %{p4}",
field: "nwparser.p3",
},
});
var dup309 = linear_select([
match({
dissect: {
tokenizer: " laddr %{p5}",
field: "nwparser.p4",
},
}),
match({
dissect: {
tokenizer: " local_address %{p5}",
field: "nwparser.p4",
},
}),
]);
var dup310 = match({
dissect: {
tokenizer: " %{daddr}/%{dport}",
field: "nwparser.p5",
},
});
var dup311 = set_field({
dest: "nwparser.msg_id1",
value: constant("302009:01"),
});
var dup312 = match({
dissect: {
tokenizer: "Rebuild connection for %{p0}",
field: "nwparser.payload",
},
});
var dup313 = set_field({
dest: "nwparser.msg_id1",
value: constant("302009"),
});
var dup314 = linear_select([
match({
dissect: {
tokenizer: " Received %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Receive %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup315 = match({
dissect: {
tokenizer: " invalid packet: %{result} from %{saddr}, %{interface}",
field: "nwparser.p0",
},
});
var dup316 = set_field({
dest: "nwparser.eventcategory",
value: constant("1703000000"),
});
var dup317 = set_field({
dest: "nwparser.msg_id1",
value: constant("409003"),
});
var dup318 = linear_select([
match({
dissect: {
tokenizer: " Adding %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Removing %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup319 = match({
dissect: {
tokenizer: " tracked route %{info}, distance %{dclass_counter1}, table %{filename}, on interface %{interface}",
field: "nwparser.p0",
},
});
var dup320 = set_field({
dest: "nwparser.msg_id1",
value: constant("622001"),
});
var dup321 = linear_select([
match({
dissect: {
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: "Username = %{username}, IP = %{saddr}, %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup322 = match({
dissect: {
tokenizer: " %{event_description}",
field: "nwparser.p0",
},
});
var dup323 = set_field({
dest: "nwparser.msg_id1",
value: constant("715049:01"),
});
var dup324 = linear_select([
match({
dissect: {
tokenizer: " Group = %{group}, IP = %{saddr}, %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " IP = %{saddr}, %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup325 = set_field({
dest: "nwparser.msg_id1",
value: constant("715049"),
});
var dup326 = linear_select([
match({
dissect: {
tokenizer: "%{event_description} serial number: %{serial_number}, subject name: %{cert_subject}, issuer name: %{dn}%{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " %{event_description}%{p0}",
field: "nwparser.payload",
},
}),
]);
var dup327 = set_field({
dest: "nwparser.eventcategory",
value: constant("1613030100"),
});
var dup328 = set_field({
dest: "nwparser.msg_id1",
value: constant("717009"),
});
var dup329 = linear_select([
match({
dissect: {
tokenizer: "IKEv1%{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: "IKEv2%{p0}",
field: "nwparser.payload",
},
}),
]);
var dup330 = match({
dissect: {
tokenizer: " was successful at setting up a tunnel. Map Tag = %{fld1}. Map Sequence Number = %{fld2}.",
field: "nwparser.p0",
},
});
var dup331 = set_field({
dest: "nwparser.msg_id1",
value: constant("752016"),
});
var dup332 = linear_select([
match({
dissect: {
tokenizer: " Auth from %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Auth %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup333 = match({
dissect: {
tokenizer: " %{saddr}/%{sport} to %{daddr}/%{dport} failed (server %{hostip} failed) on interface %{sinterface}",
field: "nwparser.p0",
},
});
var dup334 = set_field({
dest: "nwparser.eventcategory",
value: constant("1303000000"),
});
var dup335 = set_field({
dest: "nwparser.msg_id1",
value: constant("109002"),
});
var dup336 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1204000000"),
});
var dup337 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("304006"),
});
var dup338 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1610000000"),
});
var dup339 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("505006"),
});
var dup340 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("615002"),
});
var dup341 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1613040200"),
});
var dup342 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713073"),
});
var dup343 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1603010000"),
});
var dup344 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("101004"),
});
var dup345 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("313003"),
});
var dup346 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("313003:01"),
});
var dup347 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("324002"),
});
var dup348 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("715075"),
});
var dup349 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1401050200"),
});
var dup350 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("307004"),
});
var dup351 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("338305"),
});
var dup352 = match({
dissect: {
tokenizer: ", %{action}",
field: "nwparser.p0",
},
});
var dup353 = set_field({
dest: "nwparser.msg_id1",
value: constant("715063"),
});
var dup354 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("718056"),
});
var dup355 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("109023"),
});
var dup356 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("109023:01"),
});
var dup357 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1801020100"),
});
var dup358 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("602301"),
});
var dup359 = match({
dissect: {
tokenizer: "TunnelGroup \u003c\u003c %{group_object} \u003e GroupPolicy \u003c\u003c %{group} \u003e User %{p0}",
field: "nwparser.payload",
},
});
var dup360 = linear_select([
match({
dissect: {
tokenizer: " %{saddr} (%{fld2}) %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " %{saddr} %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup361 = match({
dissect: {
tokenizer: " \u003e No address available for SVC connection%{}",
field: "nwparser.p3",
},
});
var dup362 = set_field({
dest: "nwparser.msg_id1",
value: constant("722020"),
});
var dup363 = match({
dissect: {
tokenizer: "identity doesn't match negotiated identity %{p0}",
field: "nwparser.payload",
},
});
var dup364 = linear_select([
match({
dissect: {
tokenizer: " ip %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " (ip) %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup365 = match({
dissect: {
tokenizer: " dest_addr=%{daddr}, src_addr=%{saddr}, prot= %{protocol}, (ident) %{info}",
field: "nwparser.p1",
},
});
var dup366 = set_field({
dest: "nwparser.msg_id1",
value: constant("402103"),
});
var dup367 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("201006"),
});
var dup368 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("210003"),
});
var dup369 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1603040000"),
});
var dup370 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("213002"),
});
var dup371 = match({
dissect: {
tokenizer: "Built %{p0}",
field: "nwparser.payload",
},
});
var dup372 = linear_select([
match({
dissect: {
tokenizer: "backup%{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "director%{p1}",
field: "nwparser.p0",
},
}),
]);
var dup373 = match({
dissect: {
tokenizer: " stub %{protocol} connection %{connectionid} for %{sinterface}:%{saddr}/%{sport} (%{fld1}) to %{dinterface}:%{daddr}/%{dport} (%{fld2})",
field: "nwparser.p1",
},
});
var dup374 = set_field({
dest: "nwparser.msg_id1",
value: constant("302026"),
});
var dup375 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("321001"),
});
var dup376 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("321001:01"),
});
var dup377 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("324007"),
});
var dup378 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1703000000"),
});
var dup379 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("409011"),
});
var dup380 = match({
dissect: {
tokenizer: "Too many connections on %{p0}",
field: "nwparser.payload",
},
});
var dup381 = linear_select([
match({
dissect: {
tokenizer: " static %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " xlate %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup382 = match({
dissect: {
tokenizer: " %{hostip}! %{fld1} %{fld2}",
field: "nwparser.p1",
},
});
var dup383 = set_field({
dest: "nwparser.msg_id1",
value: constant("201002"),
});
var dup384 = match({
dissect: {
tokenizer: "Too many %{p0}",
field: "nwparser.payload",
},
});
var dup385 = linear_select([
match({
dissect: {
tokenizer: " TCP %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " tcp %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup386 = match({
dissect: {
tokenizer: " connections on %{p2}",
field: "nwparser.p1",
},
});
var dup387 = linear_select([
match({
dissect: {
tokenizer: " static %{p3}",
field: "nwparser.p2",
},
}),
match({
dissect: {
tokenizer: " xlate %{p3}",
field: "nwparser.p2",
},
}),
]);
var dup388 = match({
dissect: {
tokenizer: " %{hostip}! %{fld1} %{fld2}",
field: "nwparser.p3",
},
});
var dup389 = set_field({
dest: "nwparser.msg_id1",
value: constant("201002:01"),
});
var dup390 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713128"),
});
var dup391 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713128:01"),
});
var dup392 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713257"),
});
var dup393 = match({
dissect: {
tokenizer: "Group = %{group}, Username = %{username}, IP = %{saddr}, %{p0}",
field: "nwparser.payload",
},
});
var dup394 = linear_select([
match({
dissect: {
tokenizer: "%{event_description} (seq number %{fld1}) %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " %{event_description}%{p1}",
field: "nwparser.p0",
},
}),
]);
var dup395 = set_field({
dest: "nwparser.msg_id1",
value: constant("715036:01"),
});
var dup396 = match({
dissect: {
tokenizer: "Group = %{group}, IP = %{saddr}, %{p0}",
field: "nwparser.payload",
},
});
var dup397 = set_field({
dest: "nwparser.msg_id1",
value: constant("715036"),
});
var dup398 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1701010000"),
});
var dup399 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("420004"),
});
var dup400 = match({
dissect: {
tokenizer: ", IP = %{saddr} , %{action}:%{info}",
field: "nwparser.p1",
},
});
var dup401 = set_field({
dest: "nwparser.msg_id1",
value: constant("713034"),
});
var dup402 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713034:01"),
});
var dup403 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("776252"),
});
var dup404 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("609001"),
});
var dup405 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("400021"),
});
var dup406 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("720062"),
});
var dup407 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("752006"),
});
var dup408 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("103007"),
});
var dup409 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("504001:01"),
});
var dup410 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("504001"),
});
var dup411 = match({
dissect: {
tokenizer: " IP \u003c\u003c%{hostip}\u003e User ACL \u003c\u003c%{info}\u003e from AAA ignored, AV-PAIR ACL used instead",
field: "nwparser.p1",
},
});
var dup412 = set_field({
dest: "nwparser.eventcategory",
value: constant("1204020000"),
});
var dup413 = set_field({
dest: "nwparser.msg_id1",
value: constant("113034"),
});
var dup414 = match({
dissect: {
tokenizer: "SSH login session failed from %{saddr} on (%{fld1} attempts) on interface %{interface} by user %{p0}",
field: "nwparser.payload",
},
});
var dup415 = set_field({
dest: "nwparser.msg_id1",
value: constant("315003"),
});
var dup416 = match({
dissect: {
tokenizer: "SSH login session failed from %{saddr}(%{fld1} attempts) on interface %{interface} by user %{p0}",
field: "nwparser.payload",
},
});
var dup417 = linear_select([
match({
dissect: {
tokenizer: " \"%{username}\" %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " '%{username}' %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: " %{username} %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup418 = set_field({
dest: "nwparser.msg_id1",
value: constant("315003:01"),
});
var dup419 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("616001:01"),
});
var dup420 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("616001"),
});
var dup421 = linear_select([
match({
dissect: {
tokenizer: " Group = %{group}, Username = '%{username}' %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Group = %{group}, Username = %{username} %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Group = %{group} %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup422 = match({
dissect: {
tokenizer: ", IP = %{saddr}, %{action} for peer %{peer}. Reason: %{result} %{info}",
field: "nwparser.p0",
},
});
var dup423 = set_field({
dest: "nwparser.msg_id1",
value: constant("713050"),
});
var dup424 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("316001"),
});
var dup425 = match({
dissect: {
tokenizer: "Cannot %{p0}",
field: "nwparser.payload",
},
});
var dup426 = linear_select([
match({
dissect: {
tokenizer: " create %{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "creat %{p1}",
field: "nwparser.p0",
},
}),
]);
var dup427 = match({
dissect: {
tokenizer: " more isakmp peers, exceeding the limit of %{fld1} peers",
field: "nwparser.p1",
},
});
var dup428 = set_field({
dest: "nwparser.msg_id1",
value: constant("316001:01"),
});
var dup429 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("113022"),
});
var dup430 = set_field({
dest: "nwparser.nwparser.eventcategory",
value: constant("1801030000"),
});
var dup431 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("302002"),
});
var dup432 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("302002:01"),
});
var dup433 = linear_select([
match({
dissect: {
tokenizer: "backup%{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "director%{p1}",
field: "nwparser.p0",
},
}),
match({
dissect: {
tokenizer: "forwarder%{p1}",
field: "nwparser.p0",
},
}),
]);
var dup434 = set_field({
dest: "nwparser.msg_id1",
value: constant("302024"),
});
var dup435 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("713127"),
});
var dup436 = match({
dissect: {
tokenizer: ",%{info}",
field: "nwparser.p0",
},
});
var dup437 = set_field({
dest: "nwparser.eventcategory",
value: constant("1701030000"),
});
var dup438 = set_field({
dest: "nwparser.msg_id1",
value: constant("713213"),
});
var dup439 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("718072"),
});
var dup440 = set_field({
dest: "nwparser.nwparser.msg_id1",
value: constant("107002"),
});
var dup441 = linear_select([
match({
dissect: {
tokenizer: " Authentication: successful, group = %{p0}",
field: "nwparser.payload",
},
}),
match({
dissect: {
tokenizer: " Group %{p0}",
field: "nwparser.payload",
},
}),
]);
var dup442 = match({
dissect: {
tokenizer: " \u003c\u003c%{group}\u003e %{p1}",
field: "nwparser.p0",