<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

Hi John!<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

I see you've joined the discussion under <a href="https://github.com/syslog-ng/syslog-ng/pull/3934">https://github.com/syslog-ng/syslog-ng/pull/3934</a>. That's great and welcome!</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

About your question turning off EMBLEM format: I didn't answer your question as I had to do some looking around.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

I wouldn't suggest turning off EMBLEM format (I don't even know if it's configured or not by the example log).</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

I didn't find a specification about the format, only hints that it requires UDP protocol and it can add the PRI field to the message. Some details are here [1], but otherwise only hints on public forums.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

What we clearly see is that ISO timestamps in cisco devices are documented, so we should support them (it's documented in [1] too).</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

I would rather suggest switching back the timestamp format on those firewalls, than switching off the emblem format.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

Or, what about my workaround idea with the extracted cisco-triplet-parser(), was it working?</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

Regards,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

Gabor</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:11pt; color:rgb(0,0,0)">

[1] <a href="https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/analyze_events_using_external_tools.html#id_83292">https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/analyze_events_using_external_tools.html#id_83292</a></div>

<div id="appendonsend"></div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Stoffel, John (TAI) <John.Stoffel@toshiba.com><br>

<b>Sent:</b> Monday, March 7, 2022 19:10<br>

<b>To:</b> Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com>; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> RE: parsing cisco firepower logs problem with 3.33</font>

<div> </div>

</div>

<div lang="EN-US" style="word-wrap:break-word">

<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Hi Gabor,</p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Do you think we should turn OFF the EMBLEM format, if it’s set on our routers?  I can ask the network team to do so and we can see what happens...</p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

John</p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D"> </span></p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Sr. Storage Architect</span><span style="color:#1F497D"></span></p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b><span style="font-size:10.0pt; color:red">TOSHIBA AMERICA, INC.</span></b></p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">1251 6<sup>th</sup>,  Ave 41<sup>st</sup> flr, New York, NY 10020</span><span style="color:#1F497D"></span></p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">508-736-5499 (mobile)</span><span style="color:#1F497D"></span></p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">E-Mail:  </span><u><span style="font-size:10.0pt; color:blue"><a href="mailto:john.stoffel@toshiba.com"><span style="color:#0563C1">john.stoffel@toshiba.com</span></a></span></u><span style="color:#1F497D"></span></p>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Website: </span><u><span style="font-size:10.0pt; color:#0563C1"><a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnassc.service-now.com%2Fess%2Fnavpage.do&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Cde40164ecbbd4fde059308da0065d31b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822734583723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bZ1sFvvRUQWuySo6Qi8OPPTyCCbaJ3eyJ3a6%2B3V5QZ4%3D&reserved=0" originalsrc="https://nassc.service-now.com/ess/navpage.do" shash="hiX2+Ke/frK64LHAnw0XRFbQhjhS2whjLz93+P+KHUHgjGVK1JAkSFUrdBIbwvRg0nJwXOA8bKIvxvJ+bKT/BVx2CGNmhL6lIWAtcA/G166htwfiVgpZz3B2RjTbcfMVfvkLhojfJq58jHuZ4AWsCoenpNq+bLu/dinnqCuf2IE="><span style="color:#0563C1">Service

 Now Self Service Portal</span></a></span></u><span style="color:#1F497D"></span></p>

</div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b>From:</b> Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com> <br>

<b>Sent:</b> Thursday, March 3, 2022 7:14 AM<br>

<b>To:</b> Stoffel, John (TAI) <John.Stoffel@toshiba.com>; Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> Re: parsing cisco firepower logs problem with 3.33</p>

</div>

</div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">Sorry for not replying sooner.<br>

<br>

I'm working on a modified cisco-parser() that acceps ISO timestamps too.<br>

I've opened a draft pull request for discussion, but some issues are not yet resolved.</span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"><a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fpull%2F3934__%3B!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zv-CwdPq%24&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Cde40164ecbbd4fde059308da0065d31b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822734583723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9lIW1OXbnycdR9oeaQB0LKtMNV2uL9chkHMzt5czNVQ%3D&reserved=0" originalsrc="https://urldefense.com/v3/__https:/github.com/syslog-ng/syslog-ng/pull/3934__;!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zv-CwdPq$" shash="eVj1eKNqKWi3w/cI44L3q9OQYHz2uq09/X58Y02G9gVSazfeszz5Pq1sfWK0C3uxC7W5vBRqcxrlfxBw2HOiIc6/zpop6+PrOLIW4gNZ2OiJOPTsMpCR+NUvjQFLWTEiF8EfOFi/IjfeTW/8AZqAG9fo15rX6jgzeB7w7Piq92c=">https://github.com/syslog-ng/syslog-ng/pull/3934</a><br>

<br>

You mentioned you only need to classify by level/severity (e.g. "%FTD-6-305012"), which means the only essential part for you is the triplet parsing part of the cisco-parser(). </span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">You can modify your cisco-parser() implementation to do only that and you can skip the timestamp parsing issue.<br>

It won't parse the timestamp from the message, thus your log message will have the received time as timestamp.</span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">I've attached an example config, in that you can see a "p_cisco_triplet" parser which has lines copied from the cisco-parser.<br>

With that you can classify your log messages based on severity/level.</span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;margin-bottom:12.0pt">

<span style="color:black">We can improve this workaround if the message format is fix and we don't have to be flexible.<br>

<br>

I haven't found much in the Cisco documentation,  I'm not really a Cisco expert.<br>

I was wondering, but is this format the cisco EMBLEM format? [1]<br>

I haven't really found any documentation about the format itself. Sorry if this is a bit off-topic.<br>

<br>

[1] <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fsecurity%2Ffirepower-ngfw%2F200479-Configure-Logging-on-FTD-via-FMC.html__%3B!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zoB3laud%24&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Cde40164ecbbd4fde059308da0065d31b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822734583723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zTXa%2Bki5ZMsjJ2Mx%2B0fluGI3DRPrqio3xdpUM227mfc%3D&reserved=0" originalsrc="https://urldefense.com/v3/__https:/www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html__;!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zoB3laud$" shash="K2URvWWOSGnT8ENZo8fDj5n2IgvHtyuM1XbXNzHnbdAdF4rDIkYyqUdwKafjBPMyyPiFk9iTOe85Z2KMfi3xILPqWMyhqX1g9VhvP/f8Lx6+YZYPyvAl+X7eS9RMUAD9xzWjDK4PG9RgVheP+n5tEdtIDMfY5S3dey0gALnXEfs=">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html</a></span></p>

</div>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"><br>

Regards,<br>

Gabor</span></p>

</div>

<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">

<hr size="2" width="98%" align="center">

</div>

<div id="x_divRplyFwdMsg">

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b><span style="color:black">From:</span></b><span style="color:black"> Stoffel, John (TAI) <<a href="mailto:John.Stoffel@toshiba.com">John.Stoffel@toshiba.com</a>><br>

<b>Sent:</b> Wednesday, March 2, 2022 20:09<br>

<b>To:</b> Gabor Nagy (gnagy) <<a href="mailto:Gabor.Nagy@oneidentity.com">Gabor.Nagy@oneidentity.com</a>>; Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> RE: parsing cisco firepower logs problem with 3.33</span> </p>

<div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

</div>

</div>

<div>

<div style="border:solid #9C6500 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FFEB9C">

<b><span style="font-size:10.0pt; color:#9C6500">CAUTION:</span></b><span style="font-size:10.0pt; color:black"> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender

 and know the content is safe.</span></p>

</div>

<p class="x_MsoNormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Here’s a thought... could I just take the existing log files and watch them with a targetted grep command to only get the data I want, and then push that into a new seperate syslog-ng instance to send the data to another remote syslog server?</p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Something like:</p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

      remote cisco fw -> syslog-ng -> file;</p>

<p class="x_xmsolistparagraph" style="margin-top: 0px; margin-bottom: 0px;margin: 0in 0in 0in 0.5in; font-size: 11pt; font-family: Calibri, sans-serif;margin-left:1.0in; text-indent:-.25in">

<span style="font-size:10.0pt; font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">        

</span></span></span>tail -f file| grep “%FTD-1-“ | syslog-ng -c /path/to/forwading.conf 

</p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

and have this send only the subset of data I want to forward?  I really just need to parse out log files with (in regexp terms) “\s+%FTD-[12]-\d+ \s+” matching the payload, and then just send it on.</p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Any pointers to docs on how I could do this type of stupid silly hack?  </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

John</p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D"> </span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Sr. Storage Architect</span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b><span style="font-size:10.0pt; color:red">TOSHIBA AMERICA, INC.</span></b></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">1251 6<sup>th</sup>,  Ave 41<sup>st</sup> flr, New York, NY 10020</span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">508-736-5499 (mobile)</span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">E-Mail:  </span><u><span style="font-size:10.0pt; color:blue"><a href="mailto:john.stoffel@toshiba.com"><span style="color:#0563C1">john.stoffel@toshiba.com</span></a></span></u></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Website: </span><u><span style="font-size:10.0pt; color:#0563C1"><a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam12.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fnassc.service-now.com*2Fess*2Fnavpage.do%26data%3D04*7C01*7CGabor.Nagy*40oneidentity.com*7C476b081198e54ab9d98608d9fc803442*7C91c369b51c9e439c989c1867ec606603*7C0*7C0*7C637818449832891881*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DykLHR6S0KLBVZGwGwQes72bSh*2BRomijg7N9Ev3XkGPo*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJQ!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zuf9nvCu%24&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Cde40164ecbbd4fde059308da0065d31b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822734583723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ApVaUAvJV9QeJ5bchA%2Fq9rOAKvZ7WzUz3Res4PA55hw%3D&reserved=0" originalsrc="https://urldefense.com/v3/__https:/nam12.safelinks.protection.outlook.com/?url=https*3A*2F*2Fnassc.service-now.com*2Fess*2Fnavpage.do&data=04*7C01*7CGabor.Nagy*40oneidentity.com*7C476b081198e54ab9d98608d9fc803442*7C91c369b51c9e439c989c1867ec606603*7C0*7C0*7C637818449832891881*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000&sdata=ykLHR6S0KLBVZGwGwQes72bSh*2BRomijg7N9Ev3XkGPo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zuf9nvCu$" shash="iZZOIIU5HzPbTorD28+e908w9FktEu4OR4CfRuh4UBqGP5bXPUMqLkpE9ZiA5cRE+0RMrnwQZuXuiI27iJ3kI4NeG9dCDUnRVkFYNQD0rpQy2rT129R7Ba0J3ys7DXxUyiu2KvD2dypV92MneRNJxrlhNeuX6yMrdk2lg8GA51w="><span style="color:#0563C1">Service

 Now Self Service Portal</span></a></span></u></p>

</div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b>From:</b> Stoffel, John (TAI) <br>

<b>Sent:</b> Tuesday, March 1, 2022 2:01 PM<br>

<b>To:</b> Gabor Nagy (gnagy) <<a href="mailto:Gabor.Nagy@oneidentity.com">Gabor.Nagy@oneidentity.com</a>>; Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> RE: parsing cisco firepower logs problem with 3.33</p>

</div>

</div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Gabor, we’re running version 6.7.0 of the Cisco FirePower OS, whatever it’s really called.</p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D"> </span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Sr. Storage Architect</span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b><span style="font-size:10.0pt; color:red">TOSHIBA AMERICA, INC.</span></b></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">1251 6<sup>th</sup>,  Ave 41<sup>st</sup> flr, New York, NY 10020</span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">508-736-5499 (mobile)</span></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">E-Mail:  </span><u><span style="font-size:10.0pt; color:blue"><a href="mailto:john.stoffel@toshiba.com"><span style="color:#0563C1">john.stoffel@toshiba.com</span></a></span></u></p>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Website: </span><u><span style="font-size:10.0pt; color:#0563C1"><a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam12.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fnassc.service-now.com*2Fess*2Fnavpage.do%26data%3D04*7C01*7CGabor.Nagy*40oneidentity.com*7C476b081198e54ab9d98608d9fc803442*7C91c369b51c9e439c989c1867ec606603*7C0*7C0*7C637818449832891881*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DykLHR6S0KLBVZGwGwQes72bSh*2BRomijg7N9Ev3XkGPo*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJQ!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zuf9nvCu%24&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Cde40164ecbbd4fde059308da0065d31b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822734583723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ApVaUAvJV9QeJ5bchA%2Fq9rOAKvZ7WzUz3Res4PA55hw%3D&reserved=0" originalsrc="https://urldefense.com/v3/__https:/nam12.safelinks.protection.outlook.com/?url=https*3A*2F*2Fnassc.service-now.com*2Fess*2Fnavpage.do&data=04*7C01*7CGabor.Nagy*40oneidentity.com*7C476b081198e54ab9d98608d9fc803442*7C91c369b51c9e439c989c1867ec606603*7C0*7C0*7C637818449832891881*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000&sdata=ykLHR6S0KLBVZGwGwQes72bSh*2BRomijg7N9Ev3XkGPo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zuf9nvCu$" shash="iZZOIIU5HzPbTorD28+e908w9FktEu4OR4CfRuh4UBqGP5bXPUMqLkpE9ZiA5cRE+0RMrnwQZuXuiI27iJ3kI4NeG9dCDUnRVkFYNQD0rpQy2rT129R7Ba0J3ys7DXxUyiu2KvD2dypV92MneRNJxrlhNeuX6yMrdk2lg8GA51w="><span style="color:#0563C1">Service

 Now Self Service Portal</span></a></span></u></p>

</div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b>From:</b> Gabor Nagy (gnagy) <<a href="mailto:Gabor.Nagy@oneidentity.com">Gabor.Nagy@oneidentity.com</a>>

<br>

<b>Sent:</b> Monday, February 28, 2022 5:26 AM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>>; Stoffel, John (TAI) <<a href="mailto:john.stoffel@toshiba.com">john.stoffel@toshiba.com</a>><br>

<b>Subject:</b> Re: parsing cisco firepower logs problem with 3.33</p>

</div>

</div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">Dear John!</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"><br>

Sorry for not answering earlier.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"> </span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">Thanks for the detailed report of this issue.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"> </span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">To be honest, cisco-parser is probably the most complex SCL in syslog-ng, and it's hard to debug it.<br>

Message processing can be debugged if syslog-ng is running with trace-level debugging, but it's not an easy output to parse.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black; background:white">The internal logs show what happens to a log message on each pipeline element (from sources until it reaches the destination).</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">Trace level internal logs causes vast amount of logs on the console or internal() log, so I recommend using this only for debugging 1 message.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">It can be turned on via "syslog-ng-ctl trace -s 1" or starting syslog-ng in the foreground: "syslog-ng -Fedvt".</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"> </span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">I've checked the log formats you sent us, and the main problem is not with the order of elements, but the format of the timestamp.<br>

It's an ISO-8601 formatted timestamp, while the cisco-parser only supports the old "day-name month" format (e.g. Feb 16 2022 16:31:53).</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">When I've changed only the timestamp format on one of your log messages, cisco-parser() worked:<br>

<166>Feb 16 2022 16:31:53 na-zy-int-fp1140-p02 : %FTD-6-305012: Teardown dynamic TCP translation from FOO-WAN_IN:10.92.60.80/59877 to FOO-OUTSIDE:6.7.8.18/59877 duration 0:01:01<br>

<br>

Also with the changed order the hostname (or by Cisco terminology "origin-id") cannot be parsed by the cisco-parser.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"> </span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">I'll create a pull request about this and discuss it with the team.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black">Can you send us some information about that Cisco device that sends these logs, please? So we can look into it's documentation.</span></p>

</div>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="color:black"><br>

<br>

Regards,<br>

Gabor</span></p>

</div>

<div class="x_MsoNormal" align="center" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;text-align:center">

<hr size="2" width="98%" align="center">

</div>

<div id="x_x_divRplyFwdMsg">

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b><span style="color:black">From:</span></b><span style="color:black"> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Stoffel, John (TAI) <<a href="mailto:John.Stoffel@toshiba.com">John.Stoffel@toshiba.com</a>><br>

<b>Sent:</b> Thursday, February 17, 2022 15:47<br>

<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> [syslog-ng] parsing cisco firepower logs problem with 3.33</span>

</p>

<div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

</div>

</div>

<div>

<div style="border:solid #9C6500 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;line-height:12.0pt; background:#FFEB9C">

<b><span style="font-size:10.0pt; color:#9C6500">CAUTION:</span></b><span style="font-size:10.0pt; color:black"> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender

 and know the content is safe.</span></p>

</div>

<p class="x_xmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<div>

<div>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Hi,</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

I'm trying to parse some cisco logs from a Cisco firepower firewall, using syslog-ng v3.33 on a CentOS 7 system.  After pounding my head against the wall a few times to realize that you can't just re-start syslog-ng and have it re-read a source file from scratch...

 that instead I need to just push the data using netcat, it's now in a state where I think I can try to debug things.</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

My logs look like this:</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305012: Teardown dynamic UDP translation fr</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

om TAI-INSIDE:1.2.3.110/51288 to FOO-OUTSIDE:6.7.8.18/33333 duration 0:00:00</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305012: Teardown dynamic TCP translation fr</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

om FOO-WAN_IN:10.92.60.80/59877 to FOO-OUTSIDE:6.7.8.18/59877 duration 0:01:01</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<166>2022-02-16T15:31:53Z na-zy-int-fp1140-p02 : %FTD-6-305011: Built dynamic UDP translation from</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

FOO-INSIDE:1.2.3.110/51288 to FOO-OUTSIDE:6.7.8.18/5632</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Looking at this log, vs the examples given in the /usr/share/syslog-ng/include/scl/cisco/plugin.conf file, I think the problem is that my logs shows the:</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

   sequence, date: origin, %MSG </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

instead of </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

  sequence, origin, date: %MSG</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

and it’s not clear to me how I would hack the plugin.conf file to handle this issue.  My end goal is to be able to parse the message enough by log level so I can forward only a subset of messages to another remote syslog system. 

</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

Thanks,</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

John</p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D"> </span></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Sr. Storage Architect</span></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<b><span style="font-size:10.0pt; color:red">TOSHIBA AMERICA, INC.</span></b></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">1251 6<sup>th</sup>,  Ave 41<sup>st</sup> flr, New York, NY 10020</span></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">508-736-5499 (mobile)</span></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">E-Mail:  </span><u><span style="font-size:10.0pt; color:blue"><a href="mailto:john.stoffel@toshiba.com"><span style="color:#0563C1">john.stoffel@toshiba.com</span></a></span></u></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

<span style="font-size:10.0pt; color:#1F497D">Website: </span><u><span style="font-size:10.0pt; color:#0563C1"><a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam12.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fnam12.safelinks.protection.outlook.com*2F*3Furl*3Dhttps*3A*2F*2Fnassc.service-now.com*2Fess*2Fnavpage.do*26data*3D04*7C01*7Cgabor.nagy*40oneidentity.com*7Ce1fc0e410cf542f2294e08d9f22481a5*7C91c369b51c9e439c989c1867ec606603*7C0*7C1*7C637807060893690199*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*26sdata*3Du0eNB5EHzsyTSOvNbI7czRJLxpvC2EPeeKsZ6H5X9q0*3D*26reserved*3D0__*3BJSUlJSUlJSUlJSUlJSUlJSUl!!BiNunAf9XXY-!R4NbMeGvRLi2JniMHFDJNW1kydS0JyHKyMA48a4Y9i-LYsY-BKG3QcjH71lz5Iw8hNbi*24%26data%3D04*7C01*7CGabor.Nagy*40oneidentity.com*7C476b081198e54ab9d98608d9fc803442*7C91c369b51c9e439c989c1867ec606603*7C0*7C0*7C637818449832891881*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3Dp2k*2F7TnO1bggDcKaDZMSFAgkU*2B*2BZwGzJAS15e9jufTM*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSoqKioqJSUqKioqKioqKioqKiolJSolJSUlJSUlJSUlJSUlJSUlJSUlJQ!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zpF1_F0l%24&data=04%7C01%7CGabor.Nagy%40oneidentity.com%7Cde40164ecbbd4fde059308da0065d31b%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637822734583723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wbbpqBf2YXqIpb50p2%2Fb5IMa1tvHceaHrkZLKkXfFQM%3D&reserved=0" originalsrc="https://urldefense.com/v3/__https:/nam12.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fnam12.safelinks.protection.outlook.com*2F*3Furl*3Dhttps*3A*2F*2Fnassc.service-now.com*2Fess*2Fnavpage.do*26data*3D04*7C01*7Cgabor.nagy*40oneidentity.com*7Ce1fc0e410cf542f2294e08d9f22481a5*7C91c369b51c9e439c989c1867ec606603*7C0*7C1*7C637807060893690199*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*26sdata*3Du0eNB5EHzsyTSOvNbI7czRJLxpvC2EPeeKsZ6H5X9q0*3D*26reserved*3D0__*3BJSUlJSUlJSUlJSUlJSUlJSUl!!BiNunAf9XXY-!R4NbMeGvRLi2JniMHFDJNW1kydS0JyHKyMA48a4Y9i-LYsY-BKG3QcjH71lz5Iw8hNbi*24&data=04*7C01*7CGabor.Nagy*40oneidentity.com*7C476b081198e54ab9d98608d9fc803442*7C91c369b51c9e439c989c1867ec606603*7C0*7C0*7C637818449832891881*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000&sdata=p2k*2F7TnO1bggDcKaDZMSFAgkU*2B*2BZwGzJAS15e9jufTM*3D&reserved=0__;JSUlJSUlJSUlJSoqKioqJSUqKioqKioqKioqKiolJSolJSUlJSUlJSUlJSUlJSUlJSUlJQ!!BiNunAf9XXY-!TCbZSyBA4z7eEUxKNDYsxG8ay0PE23yHIdo0ZEN_kkIYpxfLEYODdeS-E2w9zpF1_F0l$" shash="y7WGCGbCG0vIrvWuGFv3yEGKPh+2s+0fCHQVn9XGbm+mAvP9b4+rLZOmySQf53ymMcOpIwn7mBWKgliyHK24Ra66Jw1BsKWLrRZvy5CEIOUas/VtZtHBeWfT9XLd/zguJqaOvrq8lkMCy5L5kNQUl43N37ky14zTUe3/F+uYJqY="><span style="color:#0563C1">Service

 Now Self Service Portal</span></a></span></u></p>

<p class="x_xxmsonormal" style="margin-top: 0px; margin-bottom: 0px;margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">

 </p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>