Skip to main content
KarlH
KarlH
Explorer II
October 24, 2024
Solved

Cannot Enable a new parser which passes validation and testing SIEM 7.1.3 GUI Parser window

  • October 24, 2024
  • 6 replies
  • 6146 views

Hello,


I now have new parser. When I go to the Admin -> Device support -> Parsers

I can see my parser I try to check the box in the Enable column

it then opens the parser window showing the code. Here you can see the Enable state is checked


If I pick Validate it validates if I select Test it tests successfully. if I select Saveshot1.png it says parser not validated or test failed which makes no sense. If I select cancel it just take me back to the list view of parsers.


it is stuck in some kind of loop, there is no way for me to enable the parser , I cannot get to the Apply option.

also if I start in the list view and select Edit it takes me in the parser code where again I select validate and it validates and then I select test and it tests successfully, but Enable is greyed out via this menu path that I take.

Best answer by kcanalichio

Looks good to me.. You should now be able to enable the parser. Don't forget to t hit apply afterwards so it gets pushed out to your collectors

6 replies

kcanalichio
kcanalichio
New Member
October 28, 2024

When you run you test and you say it passed, did you scroll down through all the test. Sometimes a test will fail at the bottom of the list

KarlH
KarlHAuthor
Explorer II
October 28, 2024

shot2.pngHello,

Above is snapshot following a 'Test'  there is not indication of failure.

Nothing Red.

Can someone please point me to the steps to Apply a parser, during testing, a message usually showed within a red stripe saying a failure there was no red stripe with any message.

kcanalichio
kcanalichio
New Member
October 28, 2024
 

Not to be a pest but did you actually hit the test button at the top after you got to the test screen. It doesn't appear so in the screen shot.  It should look something like this when you do.

 testparser.png

kcanalichio
kcanalichio
New Member
October 28, 2024

Should you run the test and there are no red lines in the result section. The enable check mark should no longer be greyed out.  If it is I would open a ticket with support

KarlH
KarlHAuthor
Explorer II
October 29, 2024

@Rob_SIEMI will ask Rob here is he might have some insights, thank you @kcanalichio for  pointing this out, very interesting indeed.

shot1.png

 

When I hit Test within the parser window it never did this only upon hitting it a second time.  Something is severely wrong with the documentation, or parser or parser interpreter or all of the above.

Rob_SIEM
Staff
Rob_SIEM
Staff
October 29, 2024

When you see this error, it means that the test log given, we "expected" it to use the parser we are testing, but in fact it did not match this parser, or any other parser. 

 

This indicates that the <eventFormatRecognizer> regex does not match the header of this log.

 

I can confirm this by looking at your screenshot. I sent you a full parser zip based on an initial sample log you sent. 

<eventFormatRecognizer><![CDATA[<:gPatYear>-<:gPatMon>-<:gPatDay>\s+<:gPatTime>\s+<:gPatHostName>\s+<:gPatWord>\s+VENDOR_ATTACK]]></eventFormatRecognizer>

 

This requires the literal format of "2024-10-29 00:00:00 someValue someWord VENDOR_ATTACK"

 

The sample log you are using to test instead has the literal value 

MORPHISEC_ATTACK instead of VENDOR_ATTACK

So in your parser just replace all instances of VENDOR_ATTACK with MORPHISEC_ATTACK and it should work.

kcanalichio
kcanalichio
New Member
October 29, 2024

The error above means that the event didn't match the pattern in the event format recognizer section of the parser

kcanalichio
kcanalichio
New Member
October 29, 2024

If your using the code earlier replace VENDOR_ATTACK with MORPHISEC_ATTACK

    KarlH
    KarlHAuthor
    Explorer II
    October 29, 2024

    Hi,

    That is confusing sorry, at one point during this post I did use VENDOR  but it was to difficult to go through the raw log and change it so I just used the actual name as we were having so many issues.

     

    the actual first line

    is

    2024-10-08 14:46:58 Morphisec-EPTP INFO MORPHISEC_ATTACK
     
     obviously the date will change and possibly the word INFO.
    I have now for the eventFormatRecognizer
    <eventFormatRecognizer><![CDATA[<:gPatYear>-<:gPatMon>-<:gPatDay>\s+<:gPatTime>\s+<:gPatHostName>\s+<:gPatWord>\s+MORPHISEC_ATTACK]]></eventFormatRecognizer>
     
    and this error

    shot1.png
    kcanalichio
    kcanalichio
    New Member
    October 29, 2024

    good news the event is now matched by the parser

    Bad news the event doesn't match the stuff in your collect fields by regex block starting on line 7.

     

    I can't see the whole block, but if you understand how regex works it should be easy to trobleshoot, by eliminating one variables at time until you figure out would the disconnect is

    KarlH
    KarlHAuthor
    Explorer II
    October 29, 2024

    shot2.png

    Woo hoo! Please tell me this  good

     

     

    Terms & ConditionsAccessibility statement