This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Duration time from Cisco ASA

AlexeyFedorov
Frequent Contributor
Frequent Contributor

‎2016-04-12 02:47 AM

Hello,

 

I have Cisco ASA and raw event like:

 

%ASA-4-113019: Group = XXX, Username = user, IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 3h:01m:44s, Bytes xmt: 26082098, Bytes rcv: 13031692, Reason: User Requested

 

When this event was parsing I have metakey duration.time = '10904.0'

When I create a report I wish see in the report duration as 3h:01m:44s. How I can do it?

0 Likes
6 REPLIES 6

DavidWaugh1
Employee
Employee

‎2016-04-12 07:56 AM

Hi Alex, I have confirmed this behavior on my lab system too. Let me do some investigation and come back to you.

0 Likes

DavidWaugh1
Employee
Employee
In response to DavidWaugh1

‎2016-04-12 08:08 AM

Looking at the Ciscoasa parser then duration is going into the "duration" metakey.

 

In table-map.xml this is a Float64 so I think there is some conversation that is going on here.

<mapping envisionName="duration" nwName="duration.time" flags="None" format="Float64" failureKey="duration.str"/>

 

However the failure key here is duration.str so that if it cant be converted then it should go into duration.str.

Let me do some more digging....

0 Likes

DavidWaugh1
Employee
Employee
In response to DavidWaugh1

‎2016-04-12 08:18 AM

In the ASA parser duration is normalized from raw format down to seconds and stores the value in a Float64. This will allow you to do comparisons such as > and <. We could write this into duration.str meta key instead but then you would not be able to do numerical comparisons on the metakey.

 

What I recommend is that I will write a LUA parser to write into the duration.str string so that the duration.str contains the time you want.

AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-04-12 08:27 AM

Hello David,

 

Nice to hear you again. I guess LUA parser for this case is best solution. It give us ability to comparisons and human reading format of datetime for reports.

0 Likes

DavidWaugh1
Employee
Employee
In response to AlexeyFedorov

‎2016-04-12 08:46 AM

Hi Alex, yes back from my holiday.

 

Here is the LUA Parser that will do this. I tried it here and it worked on the example that you gave.

 

duration.png

Duration2String.lua.zip

AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-04-12 08:58 AM

Thanks you David, your parser is great as usual! I confirm all works correct!

I hope your holiday was great and you full of power for new useful parsers. 🙂

 

PS: I go to the holiday on the next week. 🙂

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.