You'd actually want to do this with a field extraction, but you could test the field extraction with the rex tho.
Something like this in your local/props.conf
[host::x.y.z.b]
EXTRACT-ip_proto,src_address,src_port,etc = "list 101 denied (? [a-zA-Z]+) (? d+.d+.d+.d+)((? d+)) -> (? d+.d+.d+.d+)((? d+))"
You'll need to customize the extracted field names to match.
... View more
What you need to do is field extract the same fields from the IOS ACL deny log entries. I've used the following quick rex's in the past to dig info from ACLs.
host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (? [a-zA-Z]+) (? \d+.\d+.\d+.\d+)((? \d+)) -> (? \d+.\d+.\d+.\d+)((? \d+))" | chart sparkline count by src_address
host="someIOSfirewall" %SEC-6-IPACCESSLOGP | rex field=_raw "list 101 denied (? [a-zA-Z]+) (? \d+.\d+.\d+.\d+)((? \d+)) -> (? \d+.\d+.\d+.\d+)((? \d+))" | lookup geoip clientip as src_address | chart sparkline count by client_country | sort -count
Just make the field names match what it is expecting, and the type to match, and you'll be set.
... View more