Skip to content

Add some support for CEF-Style logging for A10 Thunder appliances. (#19 / #17) #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

ShaneMcC
Copy link

@ShaneMcC ShaneMcC commented May 7, 2025

This adds a dependency on https://github.com/DavidJBianco/pycef for parsing the CEF message, and does also require some changes to the syslog-ng config (which I'll submit as a separate PR to https://github.com/veesix-networks/cgn-ec)

One thing that's not quite handled correctly here yet is that A10 VRFs are named not numbered, and this is named as part of the host field in the syslog entry, so I'm overriding parse_message to also give access to the host_name but this ends up being thrown away currently as vrf_id is numeric-only in the database.

I also don't yet implement all the possible event types, I only have 100/101/106/107 in my logs, so unsure how 102/103/104/105 are presented. I assume at least 1 pair of these is for NAT Session Created/Deleted.

@ShaneMcC
Copy link
Author

ShaneMcC commented May 7, 2025

Ah, since I started on this the upstream project has changed slightly to move the syslog producer to a separate repo so the changes I've made so far aren't compatible. I'll review and change these.

Essentially I added:

filter f_a10_thunder_cef_msg {
    match('CEF:', value("MSGHDR")) and match('|A10|' value("MESSAGE"));
};

log {
    source(s_net);
    filter(f_a10_thunder_cef_msg);
    destination(d_kafka_a10_thunder);
};

to the producer/syslog/cgn-ec.conf.d/a10-thunder.conf file, and also added:

            set("${MSGHDR}"    value(".eventv1.msghdr")       condition("${.eventv1.msghdr}" eq ""));

to rewrite block.

(syslog-ng treats the CEF: part of the message as the message header (normally programname[pid] so the rest of the message otherwise gets handled as just 0|A10|CFW|...)

@BSpendlove
Copy link
Contributor

Hey @ShaneMcC

I've released v0.8.0 of the consumer to handle the CEF parsing (with the partition/vrf support)

It will however require the api v0.5.0 (which fixes the return types for the vrf from int to str), and also a manual alter of the timescaledb tables vrf_id to VARCHAR

Let me know when you get the chance to test this out, I've ran it against a virtual A10 vm with LSN configured in eve-ng and everything appears to be working as expected for my 1 client

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants