Standard Log Parsers
The PunchPlatform comes with a set of standard log parsers, together
with a development environment to make it easy to write, test and
deliver new parsers. In the PunchPlatform common language, a parser is called "Punchlet". This name comes from
the file extension which is .punch
.
A Punchlet is likely to be chained with other generic Punchlets to become a data pipeline. These pipelines are in charge of performing generic transformations right after the log enters a topology and/or right before the topology.
Examples are:
- an input punchlet that tags each logs with the incoming listening port number or with the corresponding tenant/channel name.
- an output punchlet that removes unnecessary fields before sending out the parsed logs to Elasticsearch.
This overall chapter details each standard log parser. You will find the
corresponding Punchlets on your production installation. Check the
resources/punch/standard
directory. If anything seems to miss, feel free
to ask us for the parser.
Here is the list of the existing parsers:
- alcatel_switch
- apache_httpd
- arkoon
- aruba_7200
- bluecoat_proxysg
- ca_siteminder
- checkpoint_firewall
- checkpoint_security_gateways
- cisco_asa
- cisco_firepower
- cisco_ironport
- cisco_wlc
- denyall_probe
- denyall_security
- f5
- f5_waf
- fireeye_axseries
- Forcepoint_Web_Security
- forcepoint_FW
- fortinet_fortianalyzer
- fortinet_fortigate
- handover
- IBM_Datapower
- infoblox_trinzic
- ironmail
- juniper_junos
- juniper_netscreen
- juniper_RSA
- juniper_security_manager
- juniper_srx
- linux_isc_dhcp
- mcafee_epo
- microsoft_exchange
- microsoft_iis
- microsoft_windows
- nginx
- nokia_vitalqip
- paloalto
- paloalto_FW
- postfix
- radius
- Sogo_webmail
- sophos
- sophos_pure_message
- sourcefire_ips
- squid
- stonesoft
- stormshield_networksecurity
- sun_solaris
- suricata
- symantec_endpointprotection
- thales_mistral
- unix
- wallix_admin_bastion
- websense