Text Share Online

Menu

================================================================================
HP PROCURVE / ARUBA SWITCH – GRAYLOG PIPELINE RULES (FINAL CORRECTED VERSION)
================================================================================

CRITICAL GRAYLOG PIPELINE DSL CONSTRAINTS (learned the hard way):
1. NO if/else if/else – only a single plain “if { }” is allowed per rule
2. NO nested if – no if inside another if
3. NO ternary ?: – not supported
4. NO let inside if – all let declarations must be at top level of then
5. NO null keyword – use is_null() / is_not_null() (underscores)
6. Always wrap map values in to_string() before any function call
7. Use contains() / is_not_null(grok(…)) in the WHEN clause to branch

SOLUTION: One rule per message sub-type.
Conditions (branching logic) go in the WHEN clause.
The THEN clause contains ONLY: let, grok, set_field calls – nothing else.

PIPELINE SETUP:
Stage 0: hp_sw_00_tag, hp_sw_01a_header, hp_sw_01b_header
Stage 1: all remaining rules (run after stage 0 sets sw_module/sw_body)

================================================================================

rule “hp_sw_00_tag”
when
has_field(“message”) AND
is_not_null(grok(pattern: “^(?:%{{MONTH}} +%{{MONTHDAY}} %{{TIME}} )?%{{IP:_x}} “, value: to_string($message.message), only_named_captures: true))
then
set_field(“vendor”, “HP”);
set_field(“device_type”, “switch”);
end

rule “hp_sw_01a_header”
when
has_field(“message”) AND
is_not_null(grok(pattern: “^%{{MONTH}} +%{{MONTHDAY}} %{{TIME}} %{{IP}} “, value: to_string($message.message), only_named_captures: true))
then
let m = grok(
pattern: “^%{{MONTH}} +%{{MONTHDAY}} %{{TIME}} %{{IP:sw_ip}} (?:(?<sw_event_id>d{{5}}) )?(?<sw_module>[a-zA-Z][a-zA-Z0-9_-]*): ?(?<sw_body>.+)$”,
value: to_string($message.message),
only_named_captures: true
);
set_field(“sw_ip”, to_string(m[“sw_ip”]));
set_field(“sw_module”, lowercase(to_string(m[“sw_module”])));
set_field(“sw_body”, to_string(m[“sw_body”]));
set_field(“sw_event_id”, to_string(m[“sw_event_id”]));
end

rule “hp_sw_01b_header”
when
has_field(“message”) AND
is_null(grok(pattern: “^%{{MONTH}} +%{{MONTHDAY}} %{{TIME}} %{{IP}} “, value: to_string($message.message), only_named_captures: true)) AND
is_not_null(grok(pattern: “^%{{IP}} “, value: to_string($message.message), only_named_captures: true))
then
let m = grok(
pattern: “^%{{IP:sw_ip}} (?:(?<sw_event_id>d{{5}}) )?(?<sw_module>[a-zA-Z][a-zA-Z0-9_-]*): ?(?<sw_body>.+)$”,
value: to_string($message.message),
only_named_captures: true
);
set_field(“sw_ip”, to_string(m[“sw_ip”]));
set_field(“sw_module”, lowercase(to_string(m[“sw_module”])));
set_field(“sw_body”, to_string(m[“sw_body”]));
set_field(“sw_event_id”, to_string(m[“sw_event_id”]));
end

rule “hp_sw_02_ffi_parse”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ffi”
then
let m = grok(
pattern: “^port (?<sw_ffi_port>[A-Za-z]?d+[A-Za-z]?)-(?<sw_ffi_issue>.+?)(?:..*)?$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_event_category”, “fault_finder”);
set_field(“sw_alert_severity”, “warning”);
set_field(“sw_ffi_port”, to_string(m[“sw_ffi_port”]));
set_field(“sw_ffi_issue”, to_string(m[“sw_ffi_issue”]));
end

rule “hp_sw_02_ffi_link_flap”
when
has_field(“sw_ffi_issue”) AND contains(to_string($message.sw_ffi_issue), “link state transitions”)
then
set_field(“sw_ffi_type”, “link_flap”);
end

rule “hp_sw_02_ffi_crc”
when
has_field(“sw_ffi_issue”) AND contains(to_string($message.sw_ffi_issue), “CRC”)
then
set_field(“sw_ffi_type”, “crc_errors”);
end

rule “hp_sw_02_ffi_collision”
when
has_field(“sw_ffi_issue”) AND (contains(to_string($message.sw_ffi_issue), “collision”) OR contains(to_string($message.sw_ffi_issue), “drop rate”))
then
set_field(“sw_ffi_type”, “high_collision”);
end

rule “hp_sw_02_ffi_broadcast”
when
has_field(“sw_ffi_issue”) AND contains(to_string($message.sw_ffi_issue), “broadcast”)
then
set_field(“sw_ffi_type”, “broadcast_storm”);
end

rule “hp_sw_02_ffi_duplex”
when
has_field(“sw_ffi_issue”) AND contains(to_string($message.sw_ffi_issue), “duplex”)
then
set_field(“sw_ffi_type”, “duplex_mismatch”);
end

rule “hp_sw_03_port_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ports”
then
set_field(“sw_event_category”, “port_state”);
end

rule “hp_sw_03_port_link_up”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ports” AND
is_not_null(grok(pattern: “^port [A-Za-z]?d+[A-Za-z]? is now on-line$”, value: to_string($message.sw_body), only_named_captures: true))
then
let m = grok(
pattern: “^port (?<sw_port>[A-Za-z]?d+[A-Za-z]?) is now on-line$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_port_state”, “on-line”);
set_field(“sw_port_event”, “link_up”);
end

rule “hp_sw_03_port_link_down”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ports” AND
is_not_null(grok(pattern: “^port [A-Za-z]?d+[A-Za-z]? is now off-line$”, value: to_string($message.sw_body), only_named_captures: true))
then
let m = grok(
pattern: “^port (?<sw_port>[A-Za-z]?d+[A-Za-z]?) is now off-line$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_port_state”, “off-line”);
set_field(“sw_port_event”, “link_down”);
end

rule “hp_sw_03_port_stp_block”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ports” AND
contains(to_string($message.sw_body), “Blocked by STP”)
then
let m = grok(
pattern: “^port (?<sw_port>[A-Za-z]?d+[A-Za-z]?) is Blocked by STP”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_port_state”, “blocked_stp”);
set_field(“sw_port_event”, “stp_block”);
end

rule “hp_sw_03_port_poe”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ports” AND
contains(to_string($message.sw_body), “Invalid Signature”)
then
let m = grok(
pattern: “^port (?<sw_port>[A-Za-z]?d+[A-Za-z]?) PD Invalid Signature”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_port_state”, “poe_invalid_signature”);
set_field(“sw_port_event”, “poe_error”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_03_port_disabled”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ports” AND
contains(to_string($message.sw_body), “is Disabled”)
then
let m = grok(
pattern: “^port (?<sw_port>[A-Za-z]?d+[A-Za-z]?) is Disabled”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_port_state”, “disabled”);
set_field(“sw_port_event”, “port_disabled”);
end

rule “hp_sw_04_stp_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “stp”
then
set_field(“sw_event_category”, “spanning_tree”);
end

rule “hp_sw_04_stp_root_change”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “stp” AND
contains(to_string($message.sw_body), “CST Root changed”)
then
let m = grok(
pattern: “^CST Root changed from (?<sw_stp_root_old>[w:]+(?:-[w]+)?) to (?<sw_stp_root_new>[w:]+(?:-[w]+)?)$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_stp_event”, “root_bridge_change”);
set_field(“sw_stp_root_old”, to_string(m[“sw_stp_root_old”]));
set_field(“sw_stp_root_new”, to_string(m[“sw_stp_root_new”]));
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_04_stp_bpdu”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “stp” AND
contains(to_string($message.sw_body), “Starved for a BPDU”)
then
let m = grok(
pattern: “^VLAN (?<sw_vlan_id>d+) – Starved for a BPDU on port (?<sw_port>S+) from Designated Bridge (?<sw_stp_bridge>[w:]+(?:-[w]+)?)$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_stp_event”, “bpdu_starved”);
set_field(“sw_vlan_id”, to_long(to_string(m[“sw_vlan_id”])));
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_stp_bridge”, to_string(m[“sw_stp_bridge”]));
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_04_stp_topo”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “stp” AND
contains(to_string($message.sw_body), “Topology Change”)
then
let m = grok(
pattern: “^.*Topology Change.*port (?<sw_port>[A-Za-z]?d+[A-Za-z]?)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_stp_event”, “topology_change”);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_04_stp_enabled”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “stp” AND
contains(to_string($message.sw_body), “enabled”)
then
set_field(“sw_stp_event”, “stp_enabled”);
end

rule “hp_sw_04_stp_disabled”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “stp” AND
contains(to_string($message.sw_body), “disabled”)
then
set_field(“sw_stp_event”, “stp_disabled”);
end

rule “hp_sw_05_snmp_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “snmp”
then
set_field(“sw_event_category”, “snmp_security”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_05_snmp_community”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “snmp” AND
contains(to_string($message.sw_body), “community name or user name”)
then
let m = grok(
pattern: “^(?:SNMP )?Security access violation from %{{IP:sw_snmp_src_ip}} for the community name or user name : (?<sw_snmp_community>S+)$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_snmp_src_ip”, to_string(m[“sw_snmp_src_ip”]));
set_field(“sw_snmp_community”, to_string(m[“sw_snmp_community”]));
set_field(“sw_snmp_event”, “community_violation”);
end

rule “hp_sw_05_snmp_short”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “snmp” AND
contains(to_string($message.sw_body), “Security access violation”) AND
!contains(to_string($message.sw_body), “community name or user name”)
then
let m = grok(
pattern: “^SNMP Security access violation from %{{IP:sw_snmp_src_ip}}”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_snmp_src_ip”, to_string(m[“sw_snmp_src_ip”]));
set_field(“sw_snmp_event”, “access_violation”);
end

rule “hp_sw_05_snmp_auth_fail”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “snmp” AND
contains(to_string($message.sw_body), “Authentication failure for SNMP”)
then
let m = grok(
pattern: “^Authentication failure for SNMP community string ‘(?<sw_snmp_community>[^’]+)'”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_snmp_community”, to_string(m[“sw_snmp_community”]));
set_field(“sw_snmp_event”, “auth_failure”);
end

rule “hp_sw_06_mgr_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “mgr”
then
set_field(“sw_event_category”, “management”);
end

rule “hp_sw_06_mgr_sme”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “mgr” AND
contains(to_string($message.sw_body), “SME “)
then
let m = grok(
pattern: “^SME (?<sw_mgr_protocol>TELNET|SSH|WEB|CONSOLE|SERIAL)(?: from %{{IP:sw_mgr_src_ip}})? – (?<sw_mgr_access_level>MANAGER|OPERATOR) Mode$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_mgr_protocol”, to_string(m[“sw_mgr_protocol”]));
set_field(“sw_mgr_access_level”, to_string(m[“sw_mgr_access_level”]));
set_field(“sw_mgr_src_ip”, to_string(m[“sw_mgr_src_ip”]));
set_field(“sw_mgr_event”, “session_start”);
end

rule “hp_sw_06_mgr_login_ok”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “mgr” AND
contains(to_string($message.sw_body), “logged in from”)
then
let m = grok(
pattern: “^User ‘(?<sw_mgr_user>[^’]+)’ logged in from %{{IP:sw_mgr_src_ip}} to (?<sw_mgr_protocol>SSH|TELNET|WEB) session$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_mgr_user”, to_string(m[“sw_mgr_user”]));
set_field(“sw_mgr_src_ip”, to_string(m[“sw_mgr_src_ip”]));
set_field(“sw_mgr_protocol”, to_string(m[“sw_mgr_protocol”]));
set_field(“sw_mgr_event”, “login_success”);
end

rule “hp_sw_06_mgr_login_fail”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “mgr” AND
contains(to_string($message.sw_body), “Invalid user name/password”)
then
let m = grok(
pattern: “^Invalid user name/password on (?<sw_mgr_protocol>SSH|TELNET|WEB) session”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_mgr_protocol”, to_string(m[“sw_mgr_protocol”]));
set_field(“sw_mgr_event”, “login_failure”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_06_mgr_syslog”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “mgr” AND
contains(to_string($message.sw_body), “SYSLOG server”)
then
let m = grok(
pattern: “^syslog: Information logging started on the SYSLOG server %{{IP:sw_syslog_server}} over (?<sw_syslog_protocol>UDP|TCP) protocol$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_syslog_server”, to_string(m[“sw_syslog_server”]));
set_field(“sw_syslog_protocol”, to_string(m[“sw_syslog_protocol”]));
set_field(“sw_mgr_event”, “syslog_configured”);
end

rule “hp_sw_06_mgr_cfg_saved”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “mgr” AND
contains(to_string($message.sw_body), “saved configuration to flash”)
then
let m = grok(
pattern: “^(?<sw_mgr_user>S+) saved configuration to flash”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_mgr_user”, to_string(m[“sw_mgr_user”]));
set_field(“sw_mgr_event”, “config_saved”);
end

rule “hp_sw_07_auth_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “auth”
then
set_field(“sw_event_category”, “authentication”);
end

rule “hp_sw_07_auth_login_ok”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “auth” AND
contains(to_string($message.sw_body), “logged in from”)
then
let m = grok(
pattern: “^User ‘(?<sw_auth_user>[^’]+)’ logged in from %{{IP:sw_auth_src_ip}} to (?<sw_auth_protocol>SSH|TELNET|WEB) session”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_auth_user”, to_string(m[“sw_auth_user”]));
set_field(“sw_auth_src_ip”, to_string(m[“sw_auth_src_ip”]));
set_field(“sw_auth_protocol”, to_string(m[“sw_auth_protocol”]));
set_field(“sw_auth_event”, “login_success”);
end

rule “hp_sw_07_auth_login_fail”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “auth” AND
contains(to_string($message.sw_body), “Invalid user name/password”)
then
let m = grok(
pattern: “^Invalid user name/password on (?<sw_auth_protocol>SSH|TELNET|WEB) session”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_auth_protocol”, to_string(m[“sw_auth_protocol”]));
set_field(“sw_auth_event”, “login_failure”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_07_auth_logout”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “auth” AND
contains(to_string($message.sw_body), “logged out from”)
then
let m = grok(
pattern: “^User ‘(?<sw_auth_user>[^’]+)’ logged out from (?<sw_auth_protocol>SSH|TELNET|WEB) session”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_auth_user”, to_string(m[“sw_auth_user”]));
set_field(“sw_auth_protocol”, to_string(m[“sw_auth_protocol”]));
set_field(“sw_auth_event”, “logout”);
end

rule “hp_sw_08_ssl_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ssl”
then
set_field(“sw_event_category”, “ssl”);
end

rule “hp_sw_08_ssl_enabled”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ssl” AND
contains(to_string($message.sw_body), “SSL HTTP server enabled”)
then
let m = grok(
pattern: “^SSL HTTP server enabled on TCP port (?<sw_ssl_port>d+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_ssl_port”, to_long(to_string(m[“sw_ssl_port”])));
set_field(“sw_ssl_event”, “https_enabled”);
end

rule “hp_sw_08_ssl_disabled”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ssl” AND
contains(to_string($message.sw_body), “SSL HTTP server disabled”)
then
set_field(“sw_ssl_event”, “https_disabled”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_08_ssl_tls_fail”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ssl” AND
contains(to_string($message.sw_body), “TLS connection failed”)
then
let m = grok(
pattern: “^.*TLS connection failed.*from %{{IP:sw_ssl_src_ip}}”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_ssl_src_ip”, to_string(m[“sw_ssl_src_ip”]));
set_field(“sw_ssl_event”, “tls_failure”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_08_ssl_cert_expiring”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “ssl” AND
contains(to_string($message.sw_body), “certificate”) AND
contains(to_string($message.sw_body), “expire”)
then
set_field(“sw_ssl_event”, “cert_expiring”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_09_system_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system”
then
set_field(“sw_event_category”, “system”);
end

rule “hp_sw_09_system_boot”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system” AND
(contains(to_string($message.sw_body), “System Booted”) OR contains(to_string($message.sw_body), “Cold Start”))
then
set_field(“sw_system_event”, “boot”);
end

rule “hp_sw_09_system_reboot”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system” AND
contains(to_string($message.sw_body), “reboot”)
then
let m = grok(
pattern: “^(?<sw_reboot_actor>w+) reboot from (?<sw_reboot_method>w+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_system_event”, “reboot”);
set_field(“sw_reboot_actor”, to_string(m[“sw_reboot_actor”]));
set_field(“sw_reboot_method”, to_string(m[“sw_reboot_method”]));
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_09_system_went_down”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system” AND
contains(to_string($message.sw_body), “went down”)
then
let m = grok(
pattern: “^System went down: (?<sw_downtime_ts>S+ S+)$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_system_event”, “went_down”);
set_field(“sw_downtime_ts”, to_string(m[“sw_downtime_ts”]));
set_field(“sw_alert_severity”, “critical”);
end

rule “hp_sw_09_system_hw_fail”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system” AND
(contains(to_string($message.sw_body), “Power Supply failed”) OR contains(to_string($message.sw_body), “Fan fail”))
then
set_field(“sw_system_event”, “hardware_failure”);
set_field(“sw_alert_severity”, “critical”);
end

rule “hp_sw_09_system_temp”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system” AND
contains(to_string($message.sw_body), “Temperature”)
then
set_field(“sw_system_event”, “temperature_alert”);
set_field(“sw_alert_severity”, “critical”);
end

rule “hp_sw_09_system_memory”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “system” AND
contains(to_string($message.sw_body), “Memory”)
then
set_field(“sw_system_event”, “memory_alert”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_10_vlan_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “vlan”
then
set_field(“sw_event_category”, “vlan”);
end

rule “hp_sw_10_vlan_named”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “vlan” AND
contains(to_string($message.sw_body), “virtual LAN”)
then
let m = grok(
pattern: “^(?<sw_vlan_name>.+?) virtual LAN (?<sw_vlan_action>enabled|disabled|created|deleted)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_vlan_name”, to_string(m[“sw_vlan_name”]));
set_field(“sw_vlan_action”, to_string(m[“sw_vlan_action”]));
set_field(“sw_vlan_event”, “named_vlan_state_change”);
end

rule “hp_sw_10_vlan_by_id”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “vlan” AND
is_not_null(grok(pattern: “^VLAN d+ (?:created|deleted|enabled|disabled)”, value: to_string($message.sw_body), only_named_captures: true))
then
let m = grok(
pattern: “^VLAN (?<sw_vlan_id>d+) (?<sw_vlan_action>created|deleted|enabled|disabled)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_vlan_id”, to_long(to_string(m[“sw_vlan_id”])));
set_field(“sw_vlan_action”, to_string(m[“sw_vlan_action”]));
set_field(“sw_vlan_event”, “vlan_state_change”);
end

rule “hp_sw_10_vlan_port”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “vlan” AND
is_not_null(grok(pattern: “^Port [A-Za-z]?d+ (?:added to|removed from) VLAN”, value: to_string($message.sw_body), only_named_captures: true))
then
let m = grok(
pattern: “^Port (?<sw_port>[A-Za-z]?d+) (?<sw_vlan_action>added to|removed from) VLAN (?<sw_vlan_id>d+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_vlan_id”, to_long(to_string(m[“sw_vlan_id”])));
set_field(“sw_vlan_action”, to_string(m[“sw_vlan_action”]));
set_field(“sw_vlan_event”, “port_vlan_change”);
end

rule “hp_sw_11_tftp_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “tftp”
then
set_field(“sw_event_category”, “tftp”);
end

rule “hp_sw_11_tftp_error”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “tftp” AND
contains(to_string($message.sw_body), “SENT error:”)
then
let m = grok(
pattern: “^SENT error:(?<sw_tftp_error_code>d+), msg: (?<sw_tftp_error_msg>.+)$”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_tftp_event”, “error”);
set_field(“sw_tftp_error_code”, to_long(to_string(m[“sw_tftp_error_code”])));
set_field(“sw_tftp_error_msg”, to_string(m[“sw_tftp_error_msg”]));
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_11_tftp_firmware”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “tftp” AND
contains(to_string($message.sw_body), “Firmware update”)
then
let m = grok(
pattern: “^Firmware update.*from %{{IP:sw_tftp_src_ip}}”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_tftp_event”, “firmware_update”);
set_field(“sw_tftp_src_ip”, to_string(m[“sw_tftp_src_ip”]));
end

rule “hp_sw_11_tftp_config”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “tftp” AND
contains(to_string($message.sw_body), “Configuration”)
then
let m = grok(
pattern: “^Configuration (?<sw_tftp_action>download|upload).*(?:from|to) %{{IP:sw_tftp_src_ip}}”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_tftp_event”, concat(“config_”, to_string(m[“sw_tftp_action”])));
set_field(“sw_tftp_src_ip”, to_string(m[“sw_tftp_src_ip”]));
end

rule “hp_sw_11_tftp_enabled”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “tftp” AND
(contains(to_string($message.sw_body), “enabled”) OR contains(to_string($message.sw_body), “Enable succeeded”))
then
set_field(“sw_tftp_event”, “service_enabled”);
end

rule “hp_sw_12_dhcp_category”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “dhcp-snoop”
then
set_field(“sw_event_category”, “dhcp_snooping”);
set_field(“sw_alert_severity”, “warning”);
end

rule “hp_sw_12_dhcp_bad_release”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “dhcp-snoop” AND
contains(to_string($message.sw_body), “Attempt to release address”)
then
let m = grok(
pattern: “^.*Attempt to release address %{{IP:sw_dhcp_leased_ip}} leased to port (?<sw_dhcp_leased_port>S+) detected on port (?<sw_dhcp_detect_port>S+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_dhcp_leased_ip”, to_string(m[“sw_dhcp_leased_ip”]));
set_field(“sw_dhcp_leased_port”, to_string(m[“sw_dhcp_leased_port”]));
set_field(“sw_dhcp_detect_port”, to_string(m[“sw_dhcp_detect_port”]));
set_field(“sw_dhcp_event”, “bad_release_attempt”);
end

rule “hp_sw_12_dhcp_binding”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “dhcp-snoop” AND
contains(to_string($message.sw_body), “VLAN”) AND
!contains(to_string($message.sw_body), “Attempt”)
then
let m = grok(
pattern: “^.*IP %{{IP:sw_dhcp_leased_ip}} MAC (?<sw_dhcp_mac>[0-9a-fA-F:]+) port (?<sw_dhcp_leased_port>S+) VLAN (?<sw_vlan_id>d+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_dhcp_leased_ip”, to_string(m[“sw_dhcp_leased_ip”]));
set_field(“sw_dhcp_mac”, to_string(m[“sw_dhcp_mac”]));
set_field(“sw_dhcp_leased_port”, to_string(m[“sw_dhcp_leased_port”]));
set_field(“sw_vlan_id”, to_long(to_string(m[“sw_vlan_id”])));
set_field(“sw_dhcp_event”, “binding_entry”);
end

rule “hp_sw_12_dhcp_ceasing”
when
has_field(“sw_module”) AND to_string($message.sw_module) == “dhcp-snoop” AND
contains(to_string($message.sw_body), “Ceasing”)
then
set_field(“sw_dhcp_event”, “log_suppression”);
end

rule “hp_sw_13_dot1x_category”
when
has_field(“sw_module”) AND (
to_string($message.sw_module) == “authenticator” OR
to_string($message.sw_module) == “802.1x” OR
to_string($message.sw_module) == “mac-auth”
)
then
set_field(“sw_event_category”, “port_authentication”);
end

rule “hp_sw_13_dot1x_ok”
when
has_field(“sw_module”) AND (
to_string($message.sw_module) == “authenticator” OR
to_string($message.sw_module) == “802.1x” OR
to_string($message.sw_module) == “mac-auth”
) AND contains(to_string($message.sw_body), “authenticated on port”)
then
let m = grok(
pattern: “^(?:Port [A-Za-z]?d+: )?MAC (?<sw_dot1x_mac>[0-9a-fA-F:]+) authenticated on port (?<sw_port>[A-Za-z]?d+) via (?<sw_dot1x_method>S+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_dot1x_mac”, to_string(m[“sw_dot1x_mac”]));
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_dot1x_method”, to_string(m[“sw_dot1x_method”]));
set_field(“sw_dot1x_event”, “auth_success”);
end

rule “hp_sw_13_dot1x_fail”
when
has_field(“sw_module”) AND (
to_string($message.sw_module) == “authenticator” OR
to_string($message.sw_module) == “802.1x” OR
to_string($message.sw_module) == “mac-auth”
) AND contains(to_string($message.sw_body), “failed for MAC”)
then
let m = grok(
pattern: “^Port (?<sw_port>[A-Za-z]?d+): (?<sw_dot1x_method>802.1X|MAC auth).*failed for MAC (?<sw_dot1x_mac>[0-9a-fA-F:]+)”,
value: to_string($message.sw_body),
only_named_captures: true
);
set_field(“sw_port”, to_string(m[“sw_port”]));
set_field(“sw_dot1x_mac”, to_string(m[“sw_dot1x_mac”]));
set_field(“sw_dot1x_method”, to_string(m[“sw_dot1x_method”]));
set_field(“sw_dot1x_event”, “auth_failure”);
set_field(“sw_alert_severity”, “warning”);
end

================================================================================
FIELDS PRODUCED
================================================================================

Always set (Stage 0):
vendor, device_type, sw_ip, sw_module, sw_body, sw_event_id

Set by category rules (Stage 1):
sw_event_category – fault_finder, port_state, spanning_tree, snmp_security,
management, authentication, ssl, system, vlan, tftp,
dhcp_snooping, port_authentication
sw_alert_severity – “warning” or “critical”
sw_ffi_port – FFI port name (e.g. B12, D23)
sw_ffi_issue – FFI issue description
sw_ffi_type – link_flap, crc_errors, high_collision, broadcast_storm,
duplex_mismatch
sw_port – port identifier
sw_port_state – on-line, off-line, blocked_stp, poe_invalid_signature,
disabled
sw_port_event – link_up, link_down, stp_block, poe_error, port_disabled,
vlan_membership
sw_stp_event – root_bridge_change, bpdu_starved, topology_change,
stp_enabled, stp_disabled
sw_stp_root_old/new- STP root bridge before/after change
sw_stp_bridge – designated bridge in BPDU message
sw_vlan_id – VLAN number (long)
sw_vlan_name – named VLAN (e.g. Cameras)
sw_vlan_action – enabled, disabled, created, deleted, added to, removed from
sw_vlan_event – named_vlan_state_change, vlan_state_change, port_vlan_change
sw_snmp_src_ip – IP of SNMP violator
sw_snmp_community – community string used
sw_snmp_event – community_violation, access_violation, auth_failure
sw_mgr_protocol – TELNET, SSH, WEB, CONSOLE, SERIAL
sw_mgr_src_ip – management session source IP
sw_mgr_access_level- MANAGER or OPERATOR
sw_mgr_event – session_start, login_success, login_failure,
syslog_configured, config_saved
sw_mgr_user – username
sw_auth_user/src_ip/protocol/event – auth module equivalents
sw_ssl_port – TCP port (443)
sw_ssl_event – https_enabled, https_disabled, tls_failure, cert_expiring
sw_ssl_src_ip – TLS failure source IP
sw_system_event – boot, reboot, went_down, hardware_failure,
temperature_alert, memory_alert
sw_reboot_actor/method – who/how rebooted
sw_downtime_ts – when system went down
sw_tftp_event – error, firmware_update, config_download, config_upload,
service_enabled
sw_tftp_error_code/msg/src_ip – TFTP details
sw_dhcp_event – bad_release_attempt, binding_entry, log_suppression
sw_dhcp_leased_ip/leased_port/detect_port/mac – DHCP snooping details
sw_dot1x_event – auth_success, auth_failure
sw_dot1x_mac/method – 802.1X details
sw_syslog_server/protocol – syslog server configured via mgr

================================================================================
SEARCH QUERIES
================================================================================

All HP switches:
source:(“192.168.1.186” OR “192.168.1.180” OR “192.168.1.152” OR “192.168.0.254” OR “192.168.1.148” OR “192.168.1.147” OR “192.168.1.142” OR “192.168.1.82” OR “192.168.1.141” OR “192.168.1.47” OR “192.168.1.140” OR “192.168.1.145” OR “192.168.1.156” OR “192.168.1.149” OR “192.168.1.144” OR “192.168.1.80” OR “192.168.1.84”)

FFI fault finder: sw_event_category:fault_finder
Link flapping: sw_ffi_type:link_flap
CRC errors: sw_ffi_type:crc_errors
STP root changes: sw_stp_event:root_bridge_change
BPDU starvation: sw_stp_event:bpdu_starved
Switch reboots/boots: sw_system_event:(reboot OR boot OR went_down)
SNMP violations: sw_event_category:snmp_security
Telnet logins (risk): sw_mgr_event:session_start AND sw_mgr_protocol:TELNET
Login failures: sw_mgr_event:login_failure OR sw_auth_event:login_failure
All warnings/criticals: sw_alert_severity:warning OR sw_alert_severity:critical
DHCP snooping violations: sw_dhcp_event:bad_release_attempt
Port link changes: sw_port_event:(link_up OR link_down)
PoE problems: sw_port_event:poe_error

================================================================================
END
================================================================================

Share This: