Release Notes
l User: The username identifier. It can be in the form of a name, MAC address, or IP address.
l Action: The action to take when a rule match occurs.
Once a condition match occurs, no further rule-matching will be made. For the matching rule, only one action
can be defined.
For more details on the character-matching operators, repetition operators, and expression anchors used to
defined the search or match target, refer to the External Services Interfacechapter in the Dell Networking W-
Series ArubaOS 6.4.x User Guide .
Use the showesiparserrules command to show ESI parser rule information. Use the
showesiparserstats command to show ESI parser rule statistical information
Examples
The following command sets up the Fortigate virus rule named “forti_rule.” This rule parses the virus detection
syslog scanning for a condition match on the log_id value (log_id=) and a match on the IP address (src=).
(host) (config) #esiparserruleforti_rule
condition“log_id=[0-9]{10}[]”
matchipaddr“src=(.*)[]”
setblacklist
domainfortinet
enable
In this example, the corresponding ESI expression is:
<Sep2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4>
The following example of the test command tests a rule against a specified single syslog message.
testmsg"2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4"
<2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4>
=====
Condition:Matchedwithrule"forti_rule"
User:ipaddr=1.2.3.4
=====
The following example of the test command tests a rule against a file named test.log, which contains several
syslog messages.
testfiletest.log
<Sep2618:30:02log_id=0100030101type=virussubtype=infectedsrc=1.2.3.4>
==========
Condition:Matchedwithrule"forti_rule"
User:ipaddr=1.2.3.4
==========
<Oct1810:43:40cli[627]:PAPI_Send:To:7f000001:8372Type:0x4Timedout.>
==========
Condition:Nomatchingruleconditionfound
==========
<Oct1810:05:32mobileip[499]:<500300><DBUG>|mobileip|Station00:40:96:a6:a1:a4,
10.0.100.103:DHCPFSMreceivedevent:RECEIVE_BOOTP_REPLYcurrent:PROXY_DHCP_NO_PROXY,
next:PROXY_DHCP_NO_PROXY>
==========
Condition:Nomatchingruleconditionfound
==========
Dell Networking W-Series ArubaOS 6.4.x | Reference Guide esi parser rule | 326