Reference Guide

ManualsBrandsDell ManualsTVs & monitorsW-620

251

252

253

254

255

256

257

258

259

260

254 | esi parser rule Dell PowerConnect W-Series ArubaOS 6.2 | Reference Guide

l Action: The action to take when a rule match occurs.

Once a condition match occurs, no further rule-matching will be made. For the matching rule, only one action can be

defined.

For more details on the character-matching operators, repetition operators, and expression anchors used to defined

the search or match target, refer to the

External Services Interface

chapter in the

Dell PowerConnect W-Series

ArubaOS 6.2 User Guide

Use the showesiparserrules command to show ESI parser rule information. Use the

showesiparserstats command to show ESI parser rule statistical information

Examples

The following command sets up the Fortigate virus rule named “forti_rule.” This rule parses the virus detection

syslog scanning for a condition match on the log_id value (log_id=) and a match on the IP address (src=).

(host) (config) #esiparserruleforti_rule

condition“log_id=[0-9]{10}[]”

matchipaddr“src=(.*)[]”

setblacklist

domainfortinet

enable

In this example, the corresponding ESI expression is:

<Sep2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4>

The following example of the test command tests a rule against a specified single syslog message.

testmsg"2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4"

<2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4>

=====

Condition:Matchedwithrule"forti_rule"

User:ipaddr=1.2.3.4

=====

The following example of the test command tests a rule against a file named test.log, which contains several syslog

messages.

testfiletest.log

<Sep2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4>

==========

Condition:Matchedwithrule"forti_rule"

User:ipaddr=1.2.3.4

==========

<Oct1810:43:40cli[627]:PAPI_Send:To:7f000001:8372Type:0x4Timedout.>

==========

Condition:Nomatchingruleconditionfound

==========

<Oct1810:05:32mobileip[499]:<500300><DBUG>|mobileip|Station00:40:96:a6:a1:a4,

10.0.100.103:DHCPFSMreceivedevent:RECEIVE_BOOTP_REPLYcurrent:PROXY_DHCP_NO_PROXY,

next:PROXY_DHCP_NO_PROXY>

==========

Condition:Nomatchingruleconditionfound

==========