Skip to main content
thiago_inorpel
thiago_inorpel
Explorer II
April 16, 2025
Solved

Format event and Parser File

  • April 16, 2025
  • 2 replies
  • 943 views

Greetings community!
We are now receiving events from the Kaspersky cloud in FortiSIEM, where the format is a "System Log", and it has the following structure, for example:

<14>1 2025-04-15T12:50:06.047Z | - TEST_SIEM_CONNECTION [event@23668 et="TEST_SIEM_CONNECTION" etdn="Test Siem Connection"]


<14>1 2025-04-15T01:34:49.000Z xxx_hostedinst_xxxxx.openstacklocal 1093|1.0.0.0 - KLAUD_EV_SERVERCONNECT [event@23668 p2="x.x.x.x" p3="2x\\xx" p5="x.x.x.x" p9="::1" et="KLAUD_EV_SERVERCONNECT" etdn="Audit (connection to the Administration Server)" hdn="<xxxx>" hip="x.x.x.x" gn="Managed devices" kscfqdn="xxx.openstacklocal"] User "2xxx" has connected to the Administration Server from "x.x.x.x".

As a result, the events are arriving as "Unknow_events", precisely because there is no parser for this type of log. I created a new parser file at this first moment just to test the simplest events, for example: <14>1 2025-04-15T12:50:06.047Z | - TEST_SIEM_CONNECTION [event@23668 et="TEST_SIEM_CONNECTION" etdn="Test Siem Connection"].
The contents of the parser.xml below:

 

<eventFormatRecognizer>
<![CDATA[TEST_SIEM_CONNECTION]]>
</eventFormatRecognizer>
<patternDefinitions>
<pattern name="patTimestamp"><![CDATA[\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z]]></pattern>
<pattern name="patWord"><![CDATA[\S+]]></pattern>
<pattern name="patQuotedString"><![CDATA[[^"]+]]></pattern>
</patternDefinitions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[<\d+>1\s+(?P<deviceReceiptTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)\s+\|\s+-\s+(?P<eventType>\S+)\s+\[event@\d+\s+et="(?P<et>[^"]+)"\s+etdn="(?P<etdn>[^"]+)"\]]]>
</regex>
</collectFieldsByRegex>
<parsingInstructions>
<setEventAttribute attr="eventType">Kaspersky-TEST_SIEM_CONNECTION</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
<setEventAttribute attr="msg">$etdn</setEventAttribute>
</parsingInstructions>

 
I made sure that the content of the xml parser was ok, and I also validated both the regex in the python script and in regex101, to make sure that all the parameters of this event were matching as shown below:

regex_validation.png

When I perform the parser test on Fortisiem itself to enable it, an error occurs, and the reason for this is not reported.

siem_fail.png


Does anyone have any idea why this is happening? Or any other strategy to address this issue, either in the GUI or by accessing one of the Fortisiem components. Any help is welcome. Thanks

Best answer by cdurkin_FTNT

Try this...

<eventFormatRecognizer><![CDATA[\s+TEST_SIEM_CONNECTION\s+]]></eventFormatRecognizer> <parsingInstructions> <collectAndSetAttrByRegex src="$_rawmsg"> <regex><![CDATA[<:gPatSyslogPRI><:gPatStr>\s+<_year:gPatYear>-<_mon:gPatMon>-<_day:gPatDay>T<_time:gPatTimeMSec><_tz:gPatTimeZone>\s+\|\s+-\s+TEST_SIEM_CONNECTION\s+\[event\@\d+\s+et=\"<:gPatStrDQ>\"\s+etdn=\"<_etdn:gPatStrDQ>\"\]]]></regex> </collectAndSetAttrByRegex> <setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>  <setEventAttribute attr="eventType">Kaspersky-TEST_SIEM_CONNECTION</setEventAttribute> <setEventAttribute attr="eventSeverity">1</setEventAttribute> <setEventAttribute attr="msg">$_etdn</setEventAttribute> </parsingInstructions>


It will only parse the first message though...  I think you would need to have a few more samples to actually parse those Kaspersky Cloud events successfully.

 

2 replies

Secusaurus
Secusaurus
Contributor III
April 17, 2025

Hi @thiago_inorpel,

 

I am not sure if the empty line of "Used Parser" means that the parser just did not correlate to the event, but from what I see, the eventFormatRecognizer looks correct.

Looking at

<![CDATA[<\d+>1\s+(?P<deviceReceiptTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)\s+\|\s+-\s+(?P<eventType>\S+)\s+\[event@\d+\s+et="(?P<et>[^"]+)"\s+etdn="(?P<etdn>[^"]+)"\]]]>

 it feels like you are misusing the reference to other regex here, because the definition of the brackets is:

<resultingVariable:regexToMatchAgainst>

So, for example, from

<collectFieldsByRegex src="$_rawmsg">     <regex><![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+<:gPatStr>\s+<_body:gPatMesgBody>]]></regex> </collectFieldsByRegex>

you should get the $_body out of that, but are using the regex-patterns gPatSyslogPRI, gPatMon, etc.

 

Hope that helps to move one step further.

 

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner
    cdurkin_FTNT
    Staff
    cdurkin_FTNTAnswer
    Staff
    April 17, 2025

    Try this...

    <eventFormatRecognizer><![CDATA[\s+TEST_SIEM_CONNECTION\s+]]></eventFormatRecognizer> <parsingInstructions> <collectAndSetAttrByRegex src="$_rawmsg"> <regex><![CDATA[<:gPatSyslogPRI><:gPatStr>\s+<_year:gPatYear>-<_mon:gPatMon>-<_day:gPatDay>T<_time:gPatTimeMSec><_tz:gPatTimeZone>\s+\|\s+-\s+TEST_SIEM_CONNECTION\s+\[event\@\d+\s+et=\"<:gPatStrDQ>\"\s+etdn=\"<_etdn:gPatStrDQ>\"\]]]></regex> </collectAndSetAttrByRegex> <setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>  <setEventAttribute attr="eventType">Kaspersky-TEST_SIEM_CONNECTION</setEventAttribute> <setEventAttribute attr="eventSeverity">1</setEventAttribute> <setEventAttribute attr="msg">$_etdn</setEventAttribute> </parsingInstructions>


    It will only parse the first message though...  I think you would need to have a few more samples to actually parse those Kaspersky Cloud events successfully.

     

      Terms & ConditionsAccessibility statement