In this section we are assuming that you already create the command set to extract the configuration that you need. Please check this article How-To Create a Compliance Policy in opConfig Step 1-b
Parser files.
Non-structured command outputs need to be condensed and transformed before opConfig can make compliance assessments in an efficient manner. This operation is performed by any number of 'configuration parsers', small components (written in Perl) that act as Subject-matter Experts and digest the textual input into one precise, unambiguous and structured document that's minimal in the sense of only containing relevant facts and properties.
...
Code Block |
---|
FGVM04TM22002236 # show full-configuration system netflow config system netflow set collector-ip 192.168.0.104 set collector-port 2055 set source-ip 192.168.0.105 set active-flow-timeout 1800 set inactive-flow-timeout 15 set template-tx-timeout 1800 set template-tx-counter 20 set interface-select-method auto end |
Step 2.
...
Create the parser file.
Now we have to create the parser for the "show full-configuration system netflow" command. We can copy the cisco-config.pm parser to create fortigate-netflow.pm parser.
...
Code Block |
---|
# this is a Fortigate "show full-configuration system netflow" parser for opconfig, which amends the config_features->config section
our $VERSION = "1.0.0";
my %config;
for my $line (split(/\r?\n/,$input)) # the $input vriable contains all the command output from show full-configuration system netflow
{
if ($line =~ /.*set collector-ip (.+)/) # the (.+) is the $1 variable
{
$config{collectorip} = $1; # collectorip variable store the value 192.168.0.104
}
if ($line =~ /.*set collector-port (.+)/)
{
$config{collectorport} = $1;
}
if ($line =~ /.*set source-ip (.+)/)
{
$config{sourceip} = $1;
}
if ($line =~ /.*set active-flow-timeout (.+)/)
{
$config{activeFtimeout} = $1;
}
if ($line =~ /.*set inactive-flow-timeout (.+)/)
{
$config{inactFtimeout} = $1;
}
if ($line =~ /.*set template-tx-timeout (.+)/)
{
$config{txtimeout} = $1;
}
if ($line =~ /.*set template-tx-counter (.+)/)
{
$config{txcounter} = $1;
}
if ($line =~ /.*set interface-select-method (.+)/)
{
$config{intmethod} = $1;
}
}
return { config_features => { netflow => \%config } }; |
We can check if the syntaxis is ok using this:
Code Block |
---|
# perl -c fortigate-netflow.pm
fortigate-netflow.pm syntax OK |
Warning |
---|
To create parsers files you need to know the basic concepts of perl programin and regular expresions |
Step 3. Add parser file to opCommon file.
Now we need to add the fortigate-netflow.pm file to the opCommon file.
Code Block |
---|
# cd /usr/local/omk/conf/
# vi opCommon.json |
Code Block |
---|
.
.
.
"opconfig_url_base" : "",
"opconfig_disable_ios_ssh_connection_discovery" : "false",
"opconfig_parsers" : [
[
"^show full-configuration system netflow$", # Command that we are using to extract the information
"config_parsers/fortigate-netflow.pm" # File to parse the command output
]
],
"opconfig_queue_expire_after_seconds" : 691200,
"opconfig_audit_import" : 1,
.
.
. |
We can check if the syntaxis is ok using this:
Code Block |
---|
# json_xs < opCommon.json |
Note that all matching parsers will be applied for a particular command, in the order they are given in the configuration.
Step 4. Execute the update_config_status and export_config_status commands.
To verify that your parsers have correctly extracted the expected properties, you can update and export the newest version of the config status document.
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=update_config_status node=FortinetTest force=1 debug=9 |
Code Block |
---|
[root@localhost conf]# /usr/local/omk/bin/opconfig-cli.pl act=update_config_status node=FortinetTest force=1 debug=9
opconfig-cli.pl Version 3.420.0
Copyright (C) 2015 Opmantek Limited (www.opmantek.com)
This program comes with ABSOLUTELY NO WARRANTY;
See www.opmantek.com or email contact@opmantek.com
opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023
[2023-01-20 17:26:48.57293] [7905] [debug] new opConfig: require_db
[2023-01-20 17:26:48.71776] [7905] [debug] Creating NMISx
[2023-01-20 17:26:48.95578] [7905] [debug] getting newest config status for node FortinetTest
[2023-01-20 17:26:48.96042] [7905] [debug] Node status for FortinetTest needs updating
[2023-01-20 17:26:48.96154] [7905] [debug] found no config parser for command "diagnose ip address list" on node FortinetTest
[2023-01-20 17:26:48.96165] [7905] [debug] found no config parser for command "get system status" on node FortinetTest
[2023-01-20 17:26:48.96168] [7905] [debug] found no config parser for command "nmap -T4 -F" on node FortinetTest
[2023-01-20 17:26:48.96170] [7905] [debug] found no config parser for command "nmap -T4 -O -F --version-light" on node FortinetTest
[2023-01-20 17:26:48.96173] [7905] [debug] found no config parser for command "ping" on node FortinetTest
[2023-01-20 17:26:48.96176] [7905] [debug] found no config parser for command "show full-configuration" on node FortinetTest
[2023-01-20 17:26:48.96178] [7905] [debug] found no config parser for command "show full-configuration system interface" on node FortinetTest
[2023-01-20 17:26:48.96181] [7905] [debug] getting newest command output for show full-configuration system netflow
[2023-01-20 17:26:48.96393] [7905] [debug] newest command output for show full-configuration system netflow is in
[2023-01-20 17:26:48.96404] [7905] [debug] processing command show full-configuration system netflow, node FortinetTest, revision 1, input length 289, structured no
[2023-01-20 17:26:48.96451] [7905] [debug] running parser /usr/local/omk/conf/config_parsers/fortigate-netflow.pm for node FortinetTest and command "show full-configuration system netflow"
[2023-01-20 17:26:48.96492] [7905] [debug] parser finished, merging results
[2023-01-20 17:26:48.96511] [7905] [debug] found no config parser for command "traceroute" on node FortinetTest |
Warning |
---|
Please avoid to use "-" or "_" in the parser files variable. Example: my %config; $config{collector-ip} = $1; # collector-ip variable store the value 192.168.0.104 Error that you could get when execute the update_config_status command: [2023-01-20 17:41:31.89140] [9699] [debug] running parser /usr/local/omk/conf/config_parsers/fortigate-netflow.pm for node FortinetTest and command "show full-configuration system netflow" |
Code Block |
---|
# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortinetTest debug=true |
Code Block |
---|
[root@localhost conf]# /usr/local/omk/bin/opconfig-cli.pl act=export_config_status node=FortinetTest debug=true
opconfig-cli.pl Version 3.420.0
Copyright (C) 2015 Opmantek Limited (www.opmantek.com)
This program comes with ABSOLUTELY NO WARRANTY;
See www.opmantek.com or email contact@opmantek.com
opConfig is licensed to Opmantek Internal for 50 Nodes - Expires 15-Aug-2023
[2023-01-20 17:32:28.57037] [8596] [debug] new opConfig: require_db
[2023-01-20 17:32:28.71590] [8596] [debug] Creating NMISx
{
"config_features" : {
"netflow" : {
"activeFtimeout" : "1800",
"collectorip" : "192.168.0.104",
"collectorport" : "2055",
"inactFtimeout" : "15",
"intmethod" : "auto",
"sourceip" : "192.168.0.105",
"txcounter" : "20",
"txtimeout" : "1800"
}
}
} |