#!/usr/bin/perl ## Written by BrianEstep :: Give credit if you use this ## Cobbled together from Kris Philipsen's excellent PLA ## ## Really bad perl script to help diagnose pla_parsed regex issues ## insert your syslog message in the $log variable ## ## BE SURE YOU ONLY PASTE IN THE SYSLOG MESSAGE UP TO THE BEGINNING ## OF THE ERROR MESSAGE FOR THE ASA / PIX / FWSM. ## ## For example: ## Oct 21 23:59:23 fwext-dmz-01 Oct 21 2006 23:58:23: %PIX-6-305011: Built ## dynamic TCP translation from inside:1.1.1.1/2244 to outside:2.2.2.2/3387 ## ## Should appear as $log = "Oct 21 23:59:23 fwext-dmz-01 Oct 21 2006 23:58:23"; ## ## pla_parsed already handles the rest of the message, but needs help with ## the first portion, which will vary by syslog implementation ## ## Make sure you end each line with a semi-colon or you'll get an error ## ## Insert the regex string you want to test and when you run this script ## The output will let you know what changes to the default setup will be necessary ## ## insert your syslog message sample here, between the double quotes $log="Oct 21 23:59:23 fwext-dmz-01 Oct 21 2006 23:58:23"; ## insert your custom regex filter here, between the double quotes, or just try the deault $regex_log_begin ="(.*):(.*) (.*) (.*) (.*) (.*) (.*)"; ## -------------------------------------------------------------------------------------- ## Leave the remainder in tact, unless you know what you're doing ## -------------------------------------------------------------------------------------- $default_regex_log_begin ="(.*):(.*) (.*) (.*) (.*) (.*) (.*)"; if ($log =~ /$regex_log_begin/) { $regex_posn1=$1; $regex_posn2=$2; $regex_posn3=$3; $regex_posn4=$4; $regex_posn5=$5; $regex_posn6=$6; $regex_posn7=$7; } else { print "no match"; end; } if ($default_regex_log_begin =~ /$regex_log_begin/) { $type="default"; } else { $type="custom"; } print "\n \n"; print "You supplied the following log message:\n"; print "\n"; print " $log\n"; print "\n"; print "Resulting in these matches using a $type regex filter of: \n"; print "\n"; print " $regex_log_begin\n"; print "_________________________________________________________\n"; print "\n"; print "]> match 1: $regex_posn1\n"; print "]> match 2: $regex_posn2\n"; print "]> match 3: $regex_posn3 \t(default pixhost)\n"; print "]> match 4: $regex_posn4 \t(default pixmonth)\n"; print "]> match 5: $regex_posn5 \t(default pixdate)\n"; print "]> match 6: $regex_posn6 \t(default pixyear)\n"; print "]> match 7: $regex_posn7 \t(default pixtime)\n"; print "_________________________________________________________\n"; print "\n"; print "Verify the log string you provided is correct \n"; print "Adjust your regex_log_begin or var_pix settings accordingly!\n"; print "\n"; print "If you have more than one substitution for each match, verify the log message\n"; print "and the regex_log_begin filter string, you may need to change something to get PLA running\n"; print "\n"; print "If the default settings match up, no changes are needed. Just run pla_parsed to start PLA\n"; print "\n"; end;