OCSF Logo OCSF.ai

Asa

105010

Vendor: Cisco
Type: 105010
Subtype: 105010
OCSF Version: 1.4.0
Created by: Fleak Team

Templates provide pre-built configurations for transforming common log formats into OCSF. They save you time by handling the complex mapping logic for popular security tools and services. Learn more about using templates →

Parser Configuration

The parser transforms raw log data into structured fields. This step is necessary because OCSF needs specific information in a standardized format, and most logs don't provide this structure by default. To define these transformation rules, the configuration below uses Fleak's Log Parsing Syntax. This syntax lets you specify how to extract structured data from raw log text - identifying and capturing specific pieces of information like timestamps, IP addresses, usernames, or error codes from unstructured log messages. The parser can handle various log formats including syslog, Windows events, and custom patterns. Once parsed, the extracted fields become available for mapping to OCSF format using the mapping configuration below.

[
  {
    "targetField": "__raw__",
    "removeTargetField": true,
    "extractionConfig": {
      "type": "grok",
      "grokExpression": "%{GREEDYDATA:timestamp} %{HOSTNAME:hostname} %{DATA:program}\\[%{POSINT:pid}\\]: %ASA-%{INT:level}-%{INT:message_number}: \\(Primary\\) Failover message block alloc failed."
    }
  }
]

Mapping Configuration

The mapping configuration transforms parsed log fields into OCSF format. This step is required to convert your specific log structure into OCSF's standardized schema. To define these field mappings, the configuration below uses the Fleak Eval Expression Language (FEEL). This language lets you specify how to transform data from Cisco 105010 logs into OCSF fields - converting timestamps to standard formats, restructuring nested data, and applying conditional logic to determine field values.

dict(
  time=ts_str_to_epoch($.timestamp, 'MMM dd yyyy HH:mm:ss'),
  status=case(
    $.message_number == '105010' => 'Failure',
    _ => 'Unknown'
  ),
  message=case(
    $.message_number == '105010' => 'Failover message block alloc failed.',
    _ => null
  ),
  metadata=dict(
    product=dict(
      name='Cisco ASA',
      vendor_name='Cisco'
    ),
    version="1.4.0",
    log_level=case(
      $.level == '3' => 'ERROR',
      _ => $.level
    ),
    event_code=$.message_number,
    log_provider='CiscoASA'
  ),
  type_uid=6008 * 100 + case($.message_number == '105010' => 1, _ => 99),
  class_uid=6008,
  status_id=case(
    $.message_number == '105010' => 2,
    _ => 0
  ),
  activity_id=99,
  severity_id=case(
    $.level == '3' => 3,
    _ => 0
  ),
  status_code=$.message_number,
  category_uid=6,
  status_detail=case(
    $.message_number == '105010' => 'Failover message block alloc failed',
    _ => null
  ),
  timezone_offset=0
)

Template ID: 650329aa-d619-4a78-b678-d84c285eb333

Text Mapping: Yes

Ready to use this template?