Skip to main content
pradarsha
Staff
pradarsha
Staff
May 16, 2025
Solved

Device not accepting custom parser

  • May 16, 2025
  • 1 reply
  • 926 views

Dear Team,

 

I created a simple custom parser for ZTE device , it passed all test with multiple ZTE raw logs but the device is not accepting the parser i.e the ZTE device logs are still shown "Unknown_EventType" in FortiSIEM

can some one help in identifying issue or any suggestions ?

I tried linking the parser manually in CMDB->device-edit device->parsers

 

Below is the log and parsers

-----------------------------------------------------------------------------------------

<!--
<190>2025 May 15 14:23:31 172.21.107.110 alarm-log:mac 407c.7d5d.a1d0 vlan 4000 move from gei_1/3/3 to gei_1/4/3
<134>2025 May 15 13:43:41 172.21.107.110 command-log: telnet0 mikul 27.116.54.53 /*** telnet user log in ***/
-->
<eventFormatRecognizer><![CDATA[alarm-log|command-log]]></eventFormatRecognizer>
<patternDefinitions>
<pattern name="patLevel"><![CDATA[\w+-\w+]]></pattern>
<pattern name="patos"><![CDATA[TMNX]]></pattern>
<pattern name="patint"><![CDATA[alarm-log|command-log]]></pattern>
</patternDefinitions>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[<_syslogpriority:gPatSyslogPRI><_year:gPatYear>\s+<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<reptDevIpAddr:gPatIpAddr>\s*<_body:gPatMesgBody>]]>
</regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute>
<setEventAttribute attr="msg">$_body</setEventAttribute>
<setEventAttribute attr="reptVendor">ZTE</setEventAttribute>
<setEventAttribute attr="reptDevName">ZXOS</setEventAttribute>

 

FortiSIEM @cus

Best answer by Secusaurus

Hi @pradarsha,

 

The most common issue I see, matching to your info, is that the parser is either not activated or "apply" was not pressed afterwards (note, that you need to press apply for every data type, e.g. event types, as well).

 

It might also be possible that there was a wrong parser-assignment when onboarding the device, although this should not matter lateron.

Anyways, removing the device from CMDB and wait (since this is syslog, it will re-appear with the next logs) should fix most of the CMDB-related issues.

 

If this still does not help, take some of the raw logs you receive and have another look at them, if they really match your format recognizer. If there is a device forwarding the logs in between, it might modify the string.

 

Best,

Christian

1 reply

Secusaurus
SecusaurusAnswer
Contributor III
May 19, 2025

Hi @pradarsha,

 

The most common issue I see, matching to your info, is that the parser is either not activated or "apply" was not pressed afterwards (note, that you need to press apply for every data type, e.g. event types, as well).

 

It might also be possible that there was a wrong parser-assignment when onboarding the device, although this should not matter lateron.

Anyways, removing the device from CMDB and wait (since this is syslog, it will re-appear with the next logs) should fix most of the CMDB-related issues.

 

If this still does not help, take some of the raw logs you receive and have another look at them, if they really match your format recognizer. If there is a device forwarding the logs in between, it might modify the string.

 

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner
    pradarsha
    Staff
    pradarshaAuthor
    Staff
    May 19, 2025

    Hi Christian,

     

    Thank you for the response,

    restarting PhParser fixed it.

    Terms & ConditionsAccessibility statement