Skip to end of banner
Go to start of banner

How-To Create parser files and compliance policy files

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

In this section we are assuming that you already create the command set to extract the configuration that you need.

Parser files.

Non-structured command outputs need to be condensed and transformed before opConfig can make compliance assessments in an efficient manner. This operation is performed by any number of 'configuration parsers', small components (written in Perl) that act as Subject-matter Experts and digest the textual input into one precise, unambiguous and structured document that's minimal in the sense of only containing relevant facts and properties.

For example, only small parts of the output of a Cisco's "show interfaces" command would be relevant for detecting configuration mistakes like directed broadcasts being allowed. opConfig itself cannot contain the domain-specific expert knowledge for all kinds of devices, therefore we decided to make these config parsers extensible components: anybody can provide their own parsers for a particular type of command output.

opConfig's configuration parsers are more than just parsers and we might have called them "knowledge extractors" instead. The purpose of such a config parser is to consume a particular type of command output and transform (relevant parts of) it into a tree structure (json output).

Parsers are installed in the directory /usr/local/omk/conf/config_parsers and they must have the .pm extension. All config parsers must be valid Perl scripts.

Step 1. Identifying what information do you want to extract from a command output.

In this example we want to extract the Netflow configuration on a Fortigate device. Fortigate command that have the information we need "show full-configuration system netflow"

FGVM04TM22002236 # show full-configuration system netflow
config system netflow
    set collector-ip 192.168.0.104
    set collector-port 2055
    set source-ip 192.168.0.105
    set active-flow-timeout 1800
    set inactive-flow-timeout 15
    set template-tx-timeout 1800
    set template-tx-counter 20
    set interface-select-method auto
end

Step 2. Creating the parser file.

Now we have to create the parser for the "show full-configuration system netflow" command. We can copy the cisco-config.pm parser to create fortigate-netflow.pm parser.

# cp cisco-interface.pm fortigate-netflow.pm

Edit the fortigate-netflow.pm parser file in order to find the following values.

  • collector-ip
  • collector-port
  • source-ip
  • active-flow-timeout
  • inactive-flow-timeout
  • template-tx-timeout
  • template-tx-counter
  • interface-select-method


# vi fortigate-netflow.pm
# this is a Fortigate "show full-configuration system netflow" parser for opconfig, which amends the config_features->config section
our $VERSION = "1.0.0";

my %config;
for my $line (split(/\r?\n/,$input)) # the $input vriable contains all the command output from show full-configuration system netflow
{
        if ($line =~ /.*set collector-ip (.+)/)  # the (.+) is the $1 variable
        {
                $config{collectorip} = $1;    # collectorip variable store the value 192.168.0.104
        }
        if ($line =~ /.*set collector-port (.+)/)
        {
                $config{collectorport} = $1;
        }
        if ($line =~ /.*set source-ip (.+)/)
        {
                $config{sourceip} = $1;
        }
        if ($line =~ /.*set active-flow-timeout (.+)/)
        {
                $config{activeFtimeout} = $1;
        }
        if ($line =~ /.*set inactive-flow-timeout (.+)/)
        {
                $config{inactFtimeout} = $1;
        }
        if ($line =~ /.*set template-tx-timeout (.+)/)
        {
                $config{txtimeout} = $1;
        }
        if ($line =~ /.*set template-tx-counter (.+)/)
        {

                $config{txcounter} = $1;
        }
        if ($line =~ /.*set interface-select-method (.+)/)
        {
                $config{intmethod} = $1;
        }
}

return { config_features => { netflow => \%config } };
  • No labels