Skip to main content
IsuruTharanga
IsuruTharanga
Visitor III
September 12, 2020
Question

FortiSIEM Custom Parser

  • September 12, 2020
  • 1 reply
  • 873 views
Hi,

I have created a custom parser and I am unable to validate the parser. (When I click the "Validate" button it does not perform the underlying action.)

FortiSIEM version: 5.3.1


------------------------------
Cheers,
Isuru
------------------------------

    1 reply

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    September 14, 2020
    Hi Isuru,

    I havent had time to check it all, but you are missing the closing </when> statements in the <case> sections.

    Try using Chrome to test.

    <case>
    <when test="$_event = 'barracuda WF'">
    <setEventAttribute attr="eventType">Barracuda-WAF-WebFirewall</setEventAttribute>
    <collectAndSetAttrByPos src="$_body" sep=" ">
    <attrPosMap attr="eventSeverity" pos="1"/>
    <attrPosMap attr="attackType" pos="2"/>
    <attrPosMap attr="srcIpAddr" pos="3"/>
    <attrPosMap attr="srcIpPort" pos="4"/>
    <attrPosMap attr="destIpAddr" pos="5"/>
    <attrPosMap attr="destIpPort" pos="6"/>
    <attrPosMap attr="ruleId" pos="7"/>
    <attrPosMap attr="ruleName" pos="8"/>
    <attrPosMap attr="eventAction" pos="9"/>
    <attrPosMap attr="secAction" pos="10"/>
    <attrPosMap attr="attackInfo" pos="11"/>
    <attrPosMap attr="httpMethod" pos="12"/>
    <attrPosMap attr="infoURL" pos="13"/>
    <attrPosMap attr="appTransportProto" pos="14"/>
    <attrPosMap attr="sessionId" pos="15"/>
    <attrPosMap attr="httpUserAgent" pos="16"/>
    <attrPosMap attr="httpProxyLogin" pos="19"/>
    <attrPosMap attr="httpReferrer" pos="20"/>
    </collectAndSetAttrByPos>
    </when>
    </case>

    Let me know if you are still having issues after adding the <when>

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: Sep 12, 2020 07:06 AM
    From: Isuru Tharanga
    Subject: FortiSIEM Custom Parser

    Hi,

    I have created a custom parser and I am unable to validate the parser. (When I click the "Validate" button it does not perform the underlying action.)

    FortiSIEM version: 5.3.1


    ------------------------------
    Cheers,
    Isuru
    ------------------------------
    IsuruTharanga
    IsuruTharangaAuthor
    Visitor III
    September 15, 2020
    Hi Dan,

    Thanks for the insight. It is working as intended after the correction.

    ------------------------------
    Cheers,
    Isuru
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: Sep 14, 2020 04:44 AM
    From: Daniel Hanman
    Subject: FortiSIEM Custom Parser

    Hi Isuru,

    I havent had time to check it all, but you are missing the closing </when> statements in the <case> sections.

    Try using Chrome to test.

    <case>
    <when test="$_event = 'barracuda WF'">
    <setEventAttribute attr="eventType">Barracuda-WAF-WebFirewall</setEventAttribute>
    <collectAndSetAttrByPos src="$_body" sep=" ">
    <attrPosMap attr="eventSeverity" pos="1"/>
    <attrPosMap attr="attackType" pos="2"/>
    <attrPosMap attr="srcIpAddr" pos="3"/>
    <attrPosMap attr="srcIpPort" pos="4"/>
    <attrPosMap attr="destIpAddr" pos="5"/>
    <attrPosMap attr="destIpPort" pos="6"/>
    <attrPosMap attr="ruleId" pos="7"/>
    <attrPosMap attr="ruleName" pos="8"/>
    <attrPosMap attr="eventAction" pos="9"/>
    <attrPosMap attr="secAction" pos="10"/>
    <attrPosMap attr="attackInfo" pos="11"/>
    <attrPosMap attr="httpMethod" pos="12"/>
    <attrPosMap attr="infoURL" pos="13"/>
    <attrPosMap attr="appTransportProto" pos="14"/>
    <attrPosMap attr="sessionId" pos="15"/>
    <attrPosMap attr="httpUserAgent" pos="16"/>
    <attrPosMap attr="httpProxyLogin" pos="19"/>
    <attrPosMap attr="httpReferrer" pos="20"/>
    </collectAndSetAttrByPos>
    </when>
    </case>

    Let me know if you are still having issues after adding the <when>

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------

    Original Message:
    Sent: Sep 12, 2020 07:06 AM
    From: Isuru Tharanga
    Subject: FortiSIEM Custom Parser

    Hi,

    I have created a custom parser and I am unable to validate the parser. (When I click the "Validate" button it does not perform the underlying action.)

    FortiSIEM version: 5.3.1


    ------------------------------
    Cheers,
    Isuru
    ------------------------------
    Terms & ConditionsAccessibility statement