基於OSSIM平臺下H3C華三交換機日誌收集插件編寫

 

基於OSSIM平臺下H3C華三交換機日誌收集插件編寫

 

你們在具備上一篇《基於OSSIM平臺下華爲交換機日誌收集插件的開發》 基礎以後，下面繼續分享H3C交換機插件的內容：

 

[DEFAULT]

plugin_id=1712

[config]

type=detector

enable=yes

source=log

location=/var/log/h3c-switch.log

create_file=yes

process=

start=no

stop=no

restart=no

startup=

shutdown=

[translation]

CLKCHANGE=1

NTP_LOG=2

PFWD=3

PHONY_MODULE=4

RX_POW_NORMAL=5

RX_POW_LOW=6

LOGOUT=7

LOGINFAIL=8

[0001 - H3C-ETH-SWITCH LOGIN LOGOUT]

event_type=event

precheck="because"

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+\S+\s+(?P\S+)\s+\%\%\d+(?P\S+)\/(?P\d+)/(?PLOGOUT|LOGINFAIL)\(\w+\)\:\s+(?P[A-Z]+).*?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?because\s?\:(?P.*)"

date={normalize_date($date)}

plugin_sid={translate($sid)}

device={$host}

src_ip={$client_ip}

userdata1={$module}

userdata2={$severity}

userdata3={$reason}

userdata4={$service}

[0002 - H3C-ETH-SWITCH]

event_type=event

regexp="(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+\S+\s+(?P\S+)\s+\%\%\d+(?P\S+)\/(?P\d+)\/(?P\S+)\(.*?\:(?P.*)"

date={normalize_date($date)}

plugin_sid={translate($sid)}

device={$host}

userdata1={$module}

userdata2={$severity}

userdata3={$explanation}

 

有關基於插件收集日誌的內容，你們可參考《開源安全運維平臺OSSIM最佳實踐》一書。