add_field

Each add_field has some parameters:

Type - The type of the add_field command. This parameter has these possible values:
- Index - Part of the regular expression will be extracted as the field. The field_index value denotes which part will be extracted (see field_index bullet).
- Const - Add a constant field whose value does not depend on information extracted from the regular expression. See field_value bullet.

Field_name - the name of the new field. There are some fields, which have corresponding columns in SmartConsole Logs & Monitor > Logs. This table shows the names to give these fields to show in their Logs & Monitor > Logs column (and not in the Information field, where other added fields appear):

Field Name to be Given	Column in Logs & Monitor > Logs
`Src`	Source
`Dst`	Destination
`proto`	Protocol
`s_port`	Source Port
`product`	Product
`service`	Service (when resolved includes the port and protocol.)
`Action`	Action
`ifname`	Interface
`User`	User

When you name the above fields accordingly, they are placed in their correct column in Logs & Monitor > Logs. This enables them to participate in all filtering done on these columns. These fields automatically take part in existing event definitions with these field names.

Field_type - the type of the field in the log. This table shows the possible field types.

Field Type	Comment
`int`
`uint`
`string`
`ipaddr`	For IP addresses used with the Src and Dst fields.
`pri`	Includes the facility and severity of a syslog.
`timestmp`	Includes the date and time of the syslog. Supports the format 'Oct 10 2004 15:05:00'.
`time`	Supports the format '15:05:00'.
`string_id`	For a more efficient usage of strings. Used when there is a finite number of possible values for this field.
`action`	Supports these actions: drop, reject, accept, encrypt, decrypt, vpnroute, keyinst, authorize, deauthorize, authcrypt, and default.
`ifdir`	0 - inbound 1 - outbound
`ifname`	For an interface name (used with the "ifname" field).
`protocol`	The field name should be "proto".
`port`	For "service", "s_port" or "port" fields.

The field type of the field names in this table must be as mentioned:

Field Name	Field Type
`Src`	ipaddr
`Dst`	ipaddr
`proto`	protocol
`s_port`	port
`service`	port
`Action`	action
`ifname`	ifname

field_index or field_value - The parameter used depends on the value of the "type" field. If it is index, field_index shows. If it is const, field_value shows.
field_index denotes which part of the regular expression is extracted, according to the grouping of the patterns. To make this grouping, write a certain expression in brackets. In this expression, the number in field_index denotes the bracket number whose pattern is taken into account.

Add_field Command Sample

:command (
     :cmd_name (try)
     :parse_from (last_position)
     :regexp ("Failed password for ([a-zA-Z0-9]+) from
([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) port ([0-9]+)")
     :add_field (
        :type (index)
        :field_name (User)
        :field_type (string)
        :field_index (1)
     )
     :add_field (
        :type (index)
        :field_name (Src)
        :field_type (ipaddr)
        :field_index (2)
     )
     :add_field (
        :type (index)
        :field_name (port)
        :field_type (port)
        :field_index (3)
     )
)

The pattern for the User, [a-zA-Z0-9]+, is located in the first pair of brackets. Therefore, the field_index is one. The pattern for the Source address, [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+, is located in the second pair of brackets. Therefore, the index is two. The pattern for the port is in the third pair of brackets.

In each parsed regular expression the maximum number of brackets must be up to nine. To extract more than nine elements from the regular expression, break the expression into two pieces. The first regular expression contains the first nine brackets. The remaining of the regular expression is in the on_success command.

:command (
:cmd_name (try)
:parse_from (start_position)
:regexp ("access-list (.*) (permitted|denied|est-allowed)
([a-zA-Z0-9_\([a-zA-Z0-9_\\.[0-9]+\.[0-9]+\.[0-9]+)\(([0-9]*)\) -> ")
:add_field (
:type (index)
:field_name (listID)
:field_type (string)
:field_index (1)
)
:add_field (
:type (index)
:field_name (action)
:field_type (action)
:field_index (2)
)
:add_field (
:type (index)
:field_name (proto)
:field_type (protocol)
:field_index (3)
)
:add_field (
:type (index)
:field_name (ifname)
:field_type (ifname)
:field_index (4)
)
:add_field (
:type (index)
:field_name (Src)
:field_type (ipaddr)
:field_index (5)
)
:on_success (
:command (
:cmd_name (try)
:parse_from (last_position)
:regexp
("([a-zA-Z0-9_\\.[0-9]+\.[0-9]+\.[0-9]+)\(([0-9]*)\) hit-cnt ([0-9]+) ")
:add_field (
:type (index)
:field_name (destination_interface)
:field_type (string)
:field_index (1)
)
)
)
)

field_value is the constant value to be added.

:command (
      :cmd_name (try)
      :parse_from (last_position)
      :regexp ("%PIX-([0-9])-([0-9]*)"))
      :add_field (
             :type (const)
             :field_name (product)
             :field_type (string_id)
             :field_value ("CISCO PIX")
      )
)

Dict_name is the name of the dictionary to use to convert the value. If the value is not found in the dictionary, the value is the result. See Dictionary.