Share via

How to show SyslogMessage in CiscoWSAEvent Function ?

zake 20 Reputation points
2024-05-27T09:18:05.1666667+00:00

When i download Cisco WSA in Content hub i got function the name is CiscoWSAEvent when the first time i connected my CiscoWSA into sentinel i got confused because in my Syslog i got log from WSA but i don't get Connected status from Data Connector then when i check in function CiscoWSAEvent it got wrong default function from my syslog data.

The first CiscoWSAEvent function is : 

let cisco_wsa_access_logs =() {
Syslog
| where ProcessName in ("cisco_wsa")
| extend LogType = iff(SyslogMessage matches regex @"\A\d{10}\.\d{3}\s\d+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "Squid Logs" , iif(SyslogMessage matches regex @"\A\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\s\d{10}\.\d{3}", "W3C Logs",dynamic("")))

i changed it to 

let cisco_wsa_access_logs =() {
Syslog
| where HostIP in ("10.20.30.40")
| extend LogType = iff(SyslogMessage matches regex @"\A\d{10}\.\d{3}\s\d+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "Squid Logs" , iif(SyslogMessage matches regex @"\A\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\s\d{10}\.\d{3}", "W3C Logs",dynamic("")))

so it according to my HostIP in Syslog data.

After i edit that i got connected status in my data connector. But unfortunately i don't get SyslogMessage from default function. So i need open my Syslog data then query manual for filter it only log from WSA, i need that function for filter specify log in my Syslog data but i still need SyslogMessage from my Syslog data

Could anyone help me to solve this issue ?

This is image to show you from syslog and from the function

FromSyslog

FromFunction

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,571 questions
0 comments