Custom Parser Order Issue

Forum|Forum|1 year ago
August 10, 2024
1 reply
722 views

Hello,

I have tested the below event and the related parser and it's working fine but after applying the changes the log event still parsed by the SyslogNGParser.

<!-- <187>Feb 10 15:00:21 CCServer failed login attempt for Dan from 192.168.0.1 --> <eventFormatRecognizer><![CDATA[CCServer]]></eventFormatRecognizer> <parsingInstructions> <collectFieldsByRegex src="$_rawmsg"> <regex> <![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+<:gPatStr>\s+<_body:gPatMesgBody>]]> </regex> </collectFieldsByRegex> <collectFieldsByRegex src="$_body"> <regex> <![CDATA[failed login attempt for <user:gPatStr> from <srcIpAddr:gPatIpV4Dot>]]> </regex> </collectFieldsByRegex> <setEventAttribute attr="eventType"> Login-Failure </setEventAttribute> <setEventAttribute attr="eventSeverity"> 5 </setEventAttribute> <!-- This is the End --> </parsingInstructions>d

premchanderr

Staff & Editor

Hi @Ali_Maher ,

SyslogNGParser is the default system parser, is always the first one, and is designed not to be moved. It parses all the matching logs for Generic device types.

To bypass SyslogNGParser for any device particularly, you can go to the GUI > CMDB, select the device, then Edit it and click on the Parsers tab (Screenshot attached)
1. Choose the parser from Available Parsers
2. Click the >
3. The selected parser will appear in the Selected Parsers
4. Click Save
5. Admin > Device Support > Parsers and click on the Apply button and give it a minute
5. Restart the phParser process on the collector/Supervisor
#killall -9 phParser
6. Check for the parser functionality

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded