Print Download PDF Send Feedback

Previous

Dictionary

The free text parser enables us to use dictionaries to convert values from the log. These conversions are used to translate values from logs from different devices, with the same meaning, into a common value, which is used in the event definitions.

Each dictionary file is defined as an .ini file. In the ini file the section name is the dictionary name and the values are the dictionary values (each dictionary can include one or more sections).

[dictionary_name]

Name1 = val1

Name2 = val2

cisco_action]          [3com_action]

permitted = accept      Permit    = accept

denied = reject         Deny      = reject

Dictionary Sample

The reference to a dictionary in the parsing file is shown in this table:

Dictionary Command Sample 2

:command (
      :cmd_name (try)
      :parse_from (start_position)
      :regexp ("list (.*) (permitted|denied) (icmp)
([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* packet")
       :add_field (
               :type (index)
               :field_name (action)
               :field_type (action)
               :field_index (2)
               :dict_name (cisco_action)
       )
)

22 September 2021
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2019 Check Point Software Technologies Ltd. All rights reserved.