Hi All, I am working on Cisco Firepower field extraction. I got 2 different patterns mentioned below: 1. For the below one, I am getting action field either "Allow" or "Block" and I am able to extract that. Jul 16 2020 17:47:00 %FTD-1-430002: AccessControlRuleAction: Allow, SrcIP: 10.216.6.64, DstIP: 40.126.2.50, SrcPort: 57033, DstPort: 443, Protocol: tcp, IngressZone: in, EgressZone: out, ACPolicy: Azure-Policy-old, AccessControlRuleName: ASADmz_Internal_Access, Prefilter Policy: Allow_new, User: No Authentication Required, InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 66, NAPPolicy: Unknown 2. How can I write single extractor for action field to cover below type of logs? Field action would be unknown for below pattern I believe. Jul 16 17:47:00 UTC: %FTD-session-6-305011: Built dynamic TCP translation from Inside:10.216.6.64/57035 to Outside:10.216.3.10/57035 The same issue I am facing with ASA firewall logs also. Any direction would be highly appreciated. Regards, Tejas
... View more