Dictionary

The free text parser enables us to use dictionaries to convert values from the log. These conversions are used to translate values from logs from different devices, with the same meaning, into a common value, which is used in the eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. definitions.

Each dictionary file is defined as an .ini file. In the .ini file the section name is the dictionary name and the values are the dictionary values (each dictionary can include one or more sections).

[dictionary_name]

Name1 = val1

Name2 = val2

[cisco_action]          [3com_action]

permitted = accept      Permit    = accept

denied = reject         Deny      = reject

Example

The reference to a dictionary in the parsing file is shown in this table:

:command (
      :cmd_name (try)
      :parse_from (start_position)
      :regexp ("list (.*) (permitted|denied) (icmp) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* packet")
       :add_field (
               :type (index)
               :field_name (action)
               :field_type (action)
               :field_index (2)
               :dict_name (cisco_action)
       )
)