Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,114 questions
How to show SyslogMessage in CiscoWSAEvent Function ?
zake
20
Reputation points
When i download Cisco WSA in Content hub i got function the name is CiscoWSAEvent when the first time i connected my CiscoWSA into sentinel i got confused because in my Syslog i got log from WSA but i don't get Connected status from Data Connector then when i check in function CiscoWSAEvent it got wrong default function from my syslog data.
The first CiscoWSAEvent function is :
let cisco_wsa_access_logs =() {
Syslog
| where ProcessName in ("cisco_wsa")
| extend LogType = iff(SyslogMessage matches regex @"\A\d{10}\.\d{3}\s\d+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "Squid Logs" , iif(SyslogMessage matches regex @"\A\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\s\d{10}\.\d{3}", "W3C Logs",dynamic("")))
i changed it to
let cisco_wsa_access_logs =() {
Syslog
| where HostIP in ("10.20.30.40")
| extend LogType = iff(SyslogMessage matches regex @"\A\d{10}\.\d{3}\s\d+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "Squid Logs" , iif(SyslogMessage matches regex @"\A\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\s\d{10}\.\d{3}", "W3C Logs",dynamic("")))
so it according to my HostIP in Syslog data.
After i edit that i got connected status in my data connector.
But unfortunately i don't get SyslogMessage from default function. So i need open my Syslog data then query manual for filter it only log from WSA, i need that function for filter specify log in my Syslog data but i still need SyslogMessage from my Syslog data
Could anyone help me to solve this issue ?
This is image to show you from syslog and from the function
Sign in to answer