Standard Log Parsers

The PunchPlatform comes with a set of standard log parsers, together with a development environment to make it easy to write, test and deliver new parsers. In the PunchPlatform common language, a parser is called "Punchlet". This name comes from the file extension which is .punch.

A Punchlet is likely to be chained with other generic Punchlets to become a data pipeline. These pipelines are in charge of performing generic transformations right after the log enters a topology and/or right before the topology.

Examples are:

1. an input punchlet that tags each logs with the incoming listening port number or with the corresponding tenant/channel name.
2. an output punchlet that removes unnecessary fields before sending out the parsed logs to Elasticsearch.

This overall chapter details each standard log parser. You will find the corresponding Punchlets on your production installation. Check the resources/punch/standard directory. If anything seems to miss, feel free to ask us for the parser.

Here is the list of the existing parsers:

• alcatel_switch
• apache_httpd
• arkoon
• aruba_7200
• bluecoat_proxysg
• ca_siteminder
• checkpoint_firewall
• checkpoint_security_gateways
• cisco_asa
• cisco_firepower
• cisco_ironport
• cisco_wlc
• denyall_probe
• denyall_security
• f5
• f5_waf
• fireeye_axseries
• Forcepoint_Web_Security
• forcepoint_FW
• fortinet_fortianalyzer
• fortinet_fortigate
• handover
• IBM_Datapower
• infoblox_trinzic
• ironmail
• juniper_junos
• juniper_netscreen
• juniper_RSA
• juniper_security_manager
• juniper_srx
• linux_isc_dhcp
• mcafee_epo
• microsoft_exchange
• microsoft_iis
• microsoft_windows
• nginx
• nokia_vitalqip
• paloalto
• paloalto_FW
• postfix
• radius
• Sogo_webmail
• sophos
• sophos_pure_message
• sourcefire_ips
• squid
• stonesoft
• stormshield_networksecurity
• sun_solaris
• suricata
• symantec_endpointprotection
• thales_mistral
• unix
• wallix_admin_bastion
• websense