README
¶
CISCO ISE Log Parser - Golang
Adding new fields to the message parser
For certain types, this can be a one or two line change. If the field you want to parse is in the retrieveParseFn switch, simply add it to the LogMessage struct. The parser will parse with the existing generic parse function. If the field has a name that won't be auto-formatted to the Upper-camel-case style by the formatKey function, map the JSON field name from the message CSV to the correctly formatted struct field name.
If your field requires more complicated parsing, you will need to write a parse function that meets the valueParseFn definition, and then map the JSON field name to your custom parse function in the keyValueParseFuncMap. You can see examples of how to this by looking at the parseCiscoAVPair function.
If you don't plan on forking this repo, you can find any field not included in the existing LogMessage struct in the UnexpectedFields map in the MessageDetails field. The key will be the JSON field name found in the message CSV.
Documentation
¶
Index ¶
- func ParseMessageCSV(log string, iselogmessage *LogMessage) (err error)
- type AssignmentFailure
- type CiscoAVPair
- type DropDown
- type DropDownMap
- type EAPPEAPAllowedProtocolsLog
- type EventLog
- type HostLookupAllowedProtocolsLog
- type IseLogAccessService
- type IseLogEvent
- type LogMessage
- type MDMTLV
- type MessageDetails
- type PAPAllowedProtocolsLog
- type ParseError
- type TypeMismatch
- type UnprocessableMessageFailure
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ParseMessageCSV ¶
func ParseMessageCSV(log string, iselogmessage *LogMessage) (err error)
ParseMessageCSV consumes the CSV formatted text used in the message field of a CISCO ISE Log and returns a Go struct with the given information.
Types ¶
type AssignmentFailure ¶
AssignmentFailure occurs when we fail to assign a value through reflection.
func (*AssignmentFailure) Error ¶
func (a *AssignmentFailure) Error() string
type CiscoAVPair ¶
type CiscoAVPair struct {
MDMTLV *MDMTLV `json:",omitempty"`
AuditSessionID *string `json:",omitempty"`
SourceIP *string `json:",omitempty"`
COAPush *string `json:",omitempty"`
ProfileName *string `json:",omitempty"`
MDNS *string `json:",omitempty"`
ConnectProgress *string `json:",omitempty"`
DiscCauseExt *string `json:",omitempty"`
Method *string `json:",omitempty"`
ServiceType *string `json:",omitempty"`
}
CiscoAVPair contains subfields derived from the cisco-av-pair field of an ISE log's message CSV content.
type DropDown ¶
DropDown is a linked list used to describe data that follows a dropdown struct. Ex. All vegetables -> Orange vegetables -> Carrots
type DropDownMap ¶
DropDownMap is map of strings-to-DropDown objects. Ex. {Vegetables: All vegetables -> Orange vegetables -> Carrots, Fruits: All Fruits -> Red fruits -> Apples}
func (*DropDownMap) String ¶
func (n *DropDownMap) String() string
String stringifies a DropDownMap.
type EAPPEAPAllowedProtocolsLog ¶
type EAPPEAPAllowedProtocolsLog struct {
AccessService string `json:"access_service,omitempty"`
AccountingAuthentication string `json:"accounting_authentication,omitempty"`
AccountingSessionID string `json:"accounting_session_id,omitempty"`
AccountingStatusType string `json:"accounting_status_type,omitempty"`
AcsSessionID string `json:"acs_session_id,omitempty"`
Aggregator string `json:"aggregator,omitempty"`
AuditSessionID string `json:"audit_session_id,omitempty"`
BusinessUnit string `json:"business_unit,omitempty"`
CalledStationID string `json:"called_station_id,omitempty"`
Dest string `json:"dest,omitempty"`
DeviceType string `json:"device_type,omitempty"`
Duration string `json:"duration,omitempty"`
Env string `json:"env,omitempty"`
EventType string `json:"eventtype,omitempty"`
Host string `json:"host,omitempty"`
Hostname string `json:"hostname,omitempty"`
Location string `json:"location,omitempty"`
Logtype string `json:"logtype,omitempty"`
Message LogMessage `json:"message,omitempty"`
Mnemonic string `json:"mnemonic,omitempty"`
NasIdentifier string `json:"nas_identifier,omitempty"`
NasIPAddress string `json:"nas_ip_address,omitempty"`
NasPort string `json:"nas_port,omitempty"`
NasPortType string `json:"nas_port_type,omitempty"`
NetworkDeviceName string `json:"network_device_name,omitempty"`
NetworkDeviceProfile string `json:"network_device_profile,omitempty"`
Notice string `json:"notice,omitempty"`
ServiceType string `json:"service_type,omitempty"`
Signature string `json:"signature,omitempty"`
Src string `json:"src,omitempty"`
Time time.Time `json:"time,omitempty"`
TunnelMediumType string `json:"tunnel_medium_type,omitempty"`
TunnelPrivateGroupID string `json:"tunnel_private_group_id,omitempty"`
TunnelType string `json:"tunnel_type,omitempty"`
User string `json:"user,omitempty"`
WlanID string `json:"wlan_id,omitempty"`
}
EAPPEAPAllowedProtocolsLog is a struct for EAPPEAPAllowedProtocols CISCO ISE logs.
type EventLog ¶
type EventLog interface{}
EventLog will either be a PAP Allowed Protocol, Host Lookup Allowed Protocol, or EAP-PEAP Allowed Protocol Log
type HostLookupAllowedProtocolsLog ¶
type HostLookupAllowedProtocolsLog struct {
AccessService string `json:"access_service,omitempty"`
AccountingAuthentication string `json:"accounting_authentication,omitempty"`
AccountingSessionID string `json:"accounting_session_id,omitempty"`
AccountingStatusType string `json:"accounting_status_type,omitempty"`
AcsSessionID string `json:"acs_session_id,omitempty"`
Aggregator string `json:"aggregator,omitempty"`
AuditSessionID string `json:"audit_session_id,omitempty"`
AuthIDStore string `json:"auth_id_store,omitempty"`
AuthMethod string `json:"auth_method,omitempty"`
AuthcStatus string `json:"authc_status,omitempty"`
AuthzPolicyRule string `json:"authz_policy_rule,omitempty"`
AuthzProfile string `json:"authz_profile,omitempty"`
BusinessUnit string `json:"business_unit,omitempty"`
CalledStationID string `json:"called_station_id,omitempty"`
Dest string `json:"dest,omitempty"`
DestIP string `json:"dest_ip,omitempty"`
DestPort string `json:"dest_port,omitempty"`
DeviceType string `json:"device_type,omitempty"`
Duration string `json:"duration,omitempty"`
EndpointMacAddress string `json:"endpoint_mac_address,omitempty"`
EndpointProfile string `json:"endpoint_profile,omitempty"`
Env string `json:"env,omitempty"`
EventTimestamp string `json:"event_timestamp,omitempty"`
EventType string `json:"eventtype,omitempty"`
FramedMtu string `json:"framed_mtu,omitempty"`
Host string `json:"host,omitempty"`
HostIdentityGroup string `json:"host_identity_group,omitempty"`
Hostname string `json:"hostname,omitempty"`
IdentifyPolicyRule string `json:"identify_policy_rule,omitempty"`
IsePolicySet string `json:"ise_policy_set,omitempty"`
Location string `json:"location,omitempty"`
Logtype string `json:"logtype,omitempty"`
Message LogMessage `json:"message,omitempty"`
Mnemonic string `json:"mnemonic,omitempty"`
NasIdentifier string `json:"nas_identifier,omitempty"`
NasIPAddress string `json:"nas_ip_address,omitempty"`
NasPort string `json:"nas_port,omitempty"`
NasPortType string `json:"nas_port_type,omitempty"`
NetworkDeviceName string `json:"network_device_name,omitempty"`
NetworkDeviceProfile string `json:"network_device_profile,omitempty"`
Notice string `json:"notice,omitempty"`
PostureAssessment string `json:"posture_assessment,omitempty"`
Protocol string `json:"protocol,omitempty"`
RadiusFlowType string `json:"radius_flow_type,omitempty"`
RadiusStepData string `json:"radius_step_data,omitempty"`
Response string `json:"response,omitempty"`
SelectedAuthIDStore string `json:"selected_auth_id_store,omitempty"`
SelectionRuleMatch string `json:"selection_rule_match,omitempty"`
ServiceType string `json:"service_type,omitempty"`
Signature string `json:"signature,omitempty"`
Src string `json:"src,omitempty"`
Ssid string `json:"ssid,omitempty"`
Time time.Time `json:"time,omitempty"`
TunnelMediumType string `json:"tunnel_medium_type,omitempty"`
TunnelPrivateGroupID string `json:"tunnel_private_group_id,omitempty"`
TunnelType string `json:"tunnel_type,omitempty"`
User string `json:"user,omitempty"`
UserCategory string `json:"user_category,omitempty"`
WlanID string `json:"wlan_id,omitempty"`
}
HostLookupAllowedProtocolsLog is a struct for HostLookupAllowedProtocols CISCO ISE logs.
type IseLogAccessService ¶
IseLogAccessService contains the AccessService, which will determine the shape of the EventLog
func (*IseLogAccessService) UnmarshalJSON ¶
func (iseLog *IseLogAccessService) UnmarshalJSON(data []byte) error
UnmarshalJSON for *IseLogAccessService
type IseLogEvent ¶
type IseLogEvent int
IseLogEvent is the type for the pseudo-enum describing various ISE log events.
const ( RADIUSAccountingStartRequest IseLogEvent = 3000 RADIUSAccountingStopRequest IseLogEvent = 3001 RADIUSAccountingWatchdogUpdate IseLogEvent = 3002 AuthenticationSucceeded IseLogEvent = 5200 AuthenticationFailed IseLogEvent = 5400 SupplicantStoppedResponding IseLogEvent = 5411 EndpointConductedFailedAuthentications IseLogEvent = 5434 EndpointRestartedEAPSession IseLogEvent = 5440 InfoProfilerEndpoint IseLogEvent = 80002 )
Event codes for Cisco ISE logs.
func StrToIseLogEvent ¶
func StrToIseLogEvent(event string) IseLogEvent
StrToIseLogEvent converts the text label of an ISE log's CVS message to an enum.
func (*IseLogEvent) String ¶
func (i *IseLogEvent) String() string
String converts an IseLogEvent enum into it's associated text.
type LogMessage ¶
type LogMessage struct {
ADErrorDetails *string `json:",omitempty"`
ADFetchHostName *string `json:",omitempty"`
ADGroupsNames *string `json:",omitempty"`
ADOperatingSystem *string `json:",omitempty"`
ADUserCandidateIdentities *string `json:",omitempty"`
ADUserDNSDomain *string `json:",omitempty"`
ADUserJoinPoint *string `json:",omitempty"`
ADUserNetBiosName *string `json:",omitempty"`
ADUserQualifiedName *string `json:",omitempty"`
ADUserResolvedDNS *string `json:",omitempty"`
ADUserResolvedIdentities *string `json:",omitempty"`
ADUserSamAccountName *string `json:",omitempty"`
AKI *string `json:",omitempty"`
AcctAuthentic *string `json:",omitempty"`
AcctDelayTime *string `json:",omitempty"`
AcctInputGigawords *string `json:",omitempty"`
AcctOutputGigawords *string `json:",omitempty"`
AcctInputOctets *string `json:",omitempty"`
AcctInputPackets *string `json:",omitempty"`
AcctOutputOctets *string `json:",omitempty"`
AcctOutputPackets *string `json:",omitempty"`
AcctSessionID *string `json:",omitempty"`
AcctSessionTime *string `json:",omitempty"`
AcctStatusType *string `json:",omitempty"`
AcctTerminateCause *string `json:",omitempty"`
AcsSessionID *string `json:",omitempty"` // Ex. syd-isepsn01/386885261/12111391
AllowEasyWiredSession *bool `json:",omitempty"`
AllowedProtocolMatchedRule *string `json:",omitempty"`
AirespaceWlanID *string `json:",omitempty"`
AuthenticationIdentityStore *string `json:",omitempty"`
AuthenticationMethod *string `json:",omitempty"`
AuthenticationStatus *string `json:",omitempty"`
AuthorizationPolicyMatchedRule *string `json:",omitempty"`
BusinessUnit *string `json:",omitempty"`
BYODRegistration *string `json:",omitempty"`
CPMSessionID *string `json:",omitempty"`
CVPN3000ASAPIX7xClientType *string `json:",omitempty"`
CVPN3000ASAPIX7xSessionSubtype *string `json:",omitempty"`
CVPN3000ASAPIX7xSessionType *string `json:",omitempty"`
CVPN3000ASAPIX7xTunnelGroupName *string `json:",omitempty"` // Ex. byod
CalledStationID []string `json:",omitempty"`
CacheUpdateTime *string `json:",omitempty"`
CallingStationID []string `json:",omitempty"`
ChargeableUserIdentity *string `json:",omitempty"`
CiscoAVPair *CiscoAVPair `json:",omitempty"`
Class []string `json:",omitempty"`
Company *string `json:",omitempty"`
ConfigVersionID *string `json:",omitempty"`
CreateTime *string `json:",omitempty"`
CurrentIDStoreName *string `json:",omitempty"`
DC []string `json:",omitempty"`
DeviceIdentifier *string `json:",omitempty"`
DTLSSupport *string `json:",omitempty"`
DaysToExpiry *string `json:",omitempty"`
Department *string `json:",omitempty"`
DevicePlatform *string `json:",omitempty"`
DestinationIPAddress *string `json:",omitempty"`
DestinationPort *string `json:",omitempty"`
Description *string `json:",omitempty"`
DetailedInfo *string `json:",omitempty"`
DeviceIPAddress *string `json:",omitempty"` // Ex. 86.75.30.9
DevicePort *string `json:",omitempty"`
DeviceRegistrationStatus *string `json:",omitempty"`
DeviceType *DropDown `json:",omitempty"` // Ex. All Device Types -> Cisco -> Firewall
DistinguishedName *string `json:",omitempty"`
EapAuthentication *string `json:",omitempty"`
EapTunnel *string `json:",omitempty"`
EAPKeyName *string `json:",omitempty"`
EapChainingResult *string `json:",omitempty"`
EmployeeID *string `json:",omitempty"`
EndpointCertainityMetric *string `json:",omitempty"`
EndpointIdentityGroup *string `json:",omitempty"`
EndPointMACAddress *string `json:",omitempty"`
EndPointMatchedProfile *string `json:",omitempty"`
EndpointMatchedPolicy *string `json:",omitempty"` // Ex. Printer, Apple-Device
EndpointPolicy *string `json:",omitempty"`
EndPointPolicyID *string `json:",omitempty"`
EndpointIPAddress *string `json:",omitempty"`
EndpointNADAddress *string `json:",omitempty"`
EndpointProperty *LogMessage `json:",omitempty"`
EndpointOUI *string `json:",omitempty"` // Ex. Apple, INC
EndpointSourceEvent *string `json:",omitempty"`
EventTimestamp *string `json:",omitempty"`
EventDescription *string `json:",omitempty"`
EventType *IseLogEvent `json:",omitempty"`
ExtendedKeyUsageName []string `json:",omitempty"`
ExtendedKeyUsageOID []string `json:",omitempty"`
ExternalGroups []string `json:",omitempty"`
FailureReason *string `json:",omitempty"`
FirstCollection *string `json:",omitempty"`
FeedService *bool `json:",omitempty"`
FramedIPAddress *string `json:",omitempty"`
FramedMTU *string `json:",omitempty"`
FramedProtocol *string `json:",omitempty"`
HRDeviceDescription *string `json:",omitempty"`
HostIdentityGroup *string `json:",omitempty"`
Hostname *string `json:",omitempty"`
IPSEC *DropDown `json:",omitempty"`
ISEPolicySetName *string `json:",omitempty"`
IdentityAccessRestricted *string `json:",omitempty"`
IdentityGroup *string `json:",omitempty"`
IdentityGroupID *string `json:",omitempty"`
IdentityPolicyMatchedRule *string `json:",omitempty"`
IdentitySelectionMatchedRule *string `json:",omitempty"`
IsEndpointInRejectMode *bool `json:",omitempty"`
IsMachineAuthentication *bool `json:",omitempty"`
IsMachineIdentity *bool `json:",omitempty"`
IsThirdPartyDeviceFlow *bool `json:",omitempty"`
Issuer *string `json:",omitempty"`
IssuerCommonName *string `json:",omitempty"`
IssuerDomainComponent []string `json:",omitempty"`
KeyUsage []string `json:",omitempty"`
LastActivity *string `json:",omitempty"`
LastNmapScanTime *string `json:",omitempty"`
LicenseTypes *string `json:",omitempty"`
Location *DropDown `json:",omitempty"`
LocationL *string `json:",omitempty"`
LocationCapable *string `json:",omitempty"`
MatchedPolicyID *string `json:",omitempty"`
MessageCode *string `json:",omitempty"`
MDMServerID *string `json:",omitempty"`
ModelName *string `json:",omitempty"`
NASIPAddress *string `json:",omitempty"`
NASIdentifier *string `json:",omitempty"`
NASPort *string `json:",omitempty"`
NASPortID *string `json:",omitempty"`
NASPortType *string `json:",omitempty"`
Name *string `json:",omitempty"`
NetworkDeviceProfile *string `json:",omitempty"`
NetworkDeviceGroups DropDownMap `json:",omitempty"`
NetworkDeviceName *string `json:",omitempty"`
NetworkDeviceProfileID *string `json:",omitempty"`
NetworkDeviceProfileName *string `json:",omitempty"`
NmapScanCount *int `json:",omitempty"`
OU *string `json:",omitempty"`
OperatingSystem *string `json:",omitempty"`
OriginalUserName *string `json:",omitempty"`
PhoneID *string `json:",omitempty"`
PostureApplicable *string `json:",omitempty"`
PostureAssessmentStatus *string `json:",omitempty"`
PostureExpiry *string `json:",omitempty"`
PolicyVersion *string `json:",omitempty"`
ProfilerServer *string `json:",omitempty"`
Protocol *string `json:",omitempty"`
PortalUser *string `json:",omitempty"`
QueryResult *string `json:",omitempty"`
RadiusFlowType *string `json:",omitempty"`
RadiusPacketType *string `json:",omitempty"`
RegistrationTimeStamp *string `json:",omitempty"`
RequestLatency *int `json:",omitempty"`
Response *LogMessage `json:",omitempty"`
Role *DropDown `json:",omitempty"`
SSID *string `json:",omitempty"`
SAMAccountName *string `json:",omitempty"`
Security *DropDown `json:",omitempty"`
SelectedAccessService *string `json:",omitempty"`
SelectedAuthenticationIdentityStores *string `json:",omitempty"`
SelectedAuthorizationProfiles *string `json:",omitempty"`
SessionTimeout *string `json:",omitempty"`
ServiceType *string `json:",omitempty"`
SoftwareVersion *string `json:",omitempty"`
State []string `json:",omitempty"`
StaticAssignment *bool `json:",omitempty"`
StaticGroupAssignment *bool `json:",omitempty"`
Step []string `json:",omitempty"`
StepData *string `json:",omitempty"`
StepLatency *string `json:",omitempty"`
Subject *string `json:",omitempty"`
SubjectAlternativeName *string `json:",omitempty"`
SubjectAlternativeNameEmail *string `json:",omitempty"`
SubjectAlternativeNameOtheName *string `json:",omitempty"`
SubjectCommonName *string `json:",omitempty"`
SysDescription *string `json:",omitempty"`
TLSCipher *string `json:",omitempty"`
TLSVersion *string `json:",omitempty"`
Team *DropDown `json:",omitempty"`
TemplateName *string `json:",omitempty"`
TerminationAction *string `json:",omitempty"`
TimeToProfile *string `json:",omitempty"`
TotalCertaintyFactor *string `json:",omitempty"`
TotalFailedAttempts *int `json:",omitempty"`
TotalFailedTime *int `json:",omitempty"`
TunnelClientEndpoint *string `json:",omitempty"`
TunnelMediumType *string `json:",omitempty"`
TunnelPrivateGroupID *string `json:",omitempty"`
TunnelType *string `json:",omitempty"`
Type *string `json:",omitempty"`
Undefined151 *string `json:",omitempty"`
UniqueSubjectID *string `json:",omitempty"`
UseCase *string `json:",omitempty"`
UserAccountControl *string `json:",omitempty"`
UserName *string `json:",omitempty"` // Ex. bwayne
UserDashName *string `json:",omitempty"` // User-Name not to be confused with UserName
UserFetchCountryName *string `json:",omitempty"`
UserFetchEmail *string `json:",omitempty"`
UserFetchFirstName *string `json:",omitempty"`
UserFetchJobTitle *string `json:",omitempty"`
UserFetchLastName *string `json:",omitempty"`
UserFetchUserName *string `json:",omitempty"`
UserFetchStreetAddress *string `json:",omitempty"`
UserFetchTelephone *string `json:",omitempty"`
UserType *string `json:",omitempty"`
UpdateTime *string `json:",omitempty"`
MessageDetails MessageDetails `json:",omitempty"`
}
LogMessage is a structure populated with the CSV field information from the message field of an ISE log.
func (*LogMessage) UnmarshalJSON ¶
func (logMessage *LogMessage) UnmarshalJSON(data []byte) error
UnmarshalJSON for *LogMessage
type MDMTLV ¶
type MDMTLV struct {
DevicePlatform *string `json:",omitempty"` // Ex. linux-64, win, mac-intel
DevicePlatformVersion *string `json:",omitempty"` // Ex. 10.15.7
DeviceMAC *string `json:",omitempty"` // Ex. 3c-22-fb-00-6a-14
DevicePublicMAC *string `json:",omitempty"`
DeviceType *string `json:",omitempty"` // Ex. MacBookPro15\,2
DeviceUID *string `json:",omitempty"`
DeviceUIDGlobal *string `json:",omitempty"`
ACUserAgent *string `json:",omitempty"`
}
MDMTLV contains subfields derived from the mdm-tlv field of an ISE log's message CSV content.
type MessageDetails ¶
MessageDetails contains details about the message CSV.
type PAPAllowedProtocolsLog ¶
type PAPAllowedProtocolsLog struct {
AccessService string `json:"access_service,omitempty"`
AccountingAuthentication string `json:"accounting_authentication,omitempty"`
AccountingSessionID string `json:"accounting_session_id,omitempty"`
AccountingStatusType string `json:"accounting_status_type,omitempty"`
AcsSessionID string `json:"acs_session_id,omitempty"`
Aggregator string `json:"aggregator,omitempty"`
AuditSessionID string `json:"audit_session_id,omitempty"`
BusinessUnit string `json:"business_unit,omitempty"`
CalledStationID string `json:"called_station_id,omitempty"`
Dest string `json:"dest,omitempty"`
DeviceType string `json:"device_type,omitempty"`
Duration string `json:"duration,omitempty"`
Env string `json:"env,omitempty"`
EventType string `json:"eventtype,omitempty"`
Host string `json:"host,omitempty"`
Hostname string `json:"hostname,omitempty"`
Location string `json:"location,omitempty"`
Logtype string `json:"logtype,omitempty"`
Message LogMessage `json:"message,omitempty"`
Mnemonic string `json:"mnemonic,omitempty"`
NasIPAddress string `json:"nas_ip_address,omitempty"`
NasPort string `json:"nas_port,omitempty"`
NasPortType string `json:"nas_port_type,omitempty"`
NetworkDeviceName string `json:"network_device_name,omitempty"`
NetworkDeviceProfile string `json:"network_device_profile,omitempty"`
Notice string `json:"notice,omitempty"`
ServiceType string `json:"service_type,omitempty"`
Signature string `json:"signature,omitempty"`
Src string `json:"src,omitempty"`
Time time.Time `json:"time,omitempty"`
User string `json:"user,omitempty"`
}
PAPAllowedProtocolsLog is a struct for PAPAllowedProtocols CISCO ISE logs.
type ParseError ¶
ParseError occurs when we fail to parse a given field into a struct.
func (*ParseError) Error ¶
func (p *ParseError) Error() string
type TypeMismatch ¶
type TypeMismatch struct {
Original interface{}
Type string
}
TypeMismatch occurs when we attempt to parse a field that is not of the expected format or type.
func (*TypeMismatch) Error ¶
func (t *TypeMismatch) Error() string
type UnprocessableMessageFailure ¶
UnprocessableMessageFailure occurs when a CSV message is formatted in a way our parser does not expect
func (*UnprocessableMessageFailure) Error ¶
func (u *UnprocessableMessageFailure) Error() string
Source Files
Click to show internal directories.
Click to hide internal directories.