Skip to content

Add some support for CEF-Style logging for A10 Thunder appliances. (#19 / #17) #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ShaneMcC wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add some support for CEF-Style logging for A10 Thunder appliances. (#19 / #17) #22

ShaneMcC wants to merge 2 commits into from

Conversation

@ShaneMcC
Copy link

@ShaneMcC ShaneMcC commented May 7, 2025

This adds a dependency on https://github.com/DavidJBianco/pycef for parsing the CEF message, and does also require some changes to the syslog-ng config (which I'll submit as a separate PR to https://github.com/veesix-networks/cgn-ec)

One thing that's not quite handled correctly here yet is that A10 VRFs are named not numbered, and this is named as part of the host field in the syslog entry, so I'm overriding parse_message to also give access to the host_name but this ends up being thrown away currently as vrf_id is numeric-only in the database.

I also don't yet implement all the possible event types, I only have 100/101/106/107 in my logs, so unsure how 102/103/104/105 are presented. I assume at least 1 pair of these is for NAT Session Created/Deleted.

@ShaneMcC
Copy link
Author

ShaneMcC commented May 7, 2025

Ah, since I started on this the upstream project has changed slightly to move the syslog producer to a separate repo so the changes I've made so far aren't compatible. I'll review and change these.

Essentially I added:

filter f_a10_thunder_cef_msg {
    match('CEF:', value("MSGHDR")) and match('|A10|' value("MESSAGE"));
};

log {
    source(s_net);
    filter(f_a10_thunder_cef_msg);
    destination(d_kafka_a10_thunder);
};

to the producer/syslog/cgn-ec.conf.d/a10-thunder.conf file, and also added:

            set("${MSGHDR}"    value(".eventv1.msghdr")       condition("${.eventv1.msghdr}" eq ""));

to rewrite block.

(syslog-ng treats the CEF: part of the message as the message header (normally programname[pid] so the rest of the message otherwise gets handled as just 0|A10|CFW|...)

@BSpendlove
Copy link
Contributor

BSpendlove commented May 23, 2025

Hey @ShaneMcC

I've released v0.8.0 of the consumer to handle the CEF parsing (with the partition/vrf support)

It will however require the api v0.5.0 (which fixes the return types for the vrf from int to str), and also a manual alter of the timescaledb tables vrf_id to VARCHAR

Let me know when you get the chance to test this out, I've ran it against a virtual A10 vm with LSN configured in eve-ng and everything appears to be working as expected for my 1 client

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShaneMcC @BSpendlove