Skip to main content
Priyank
Priyank
New Member
August 19, 2021
Question

FortiSIEM XML Parser

  • August 19, 2021
  • 0 replies
  • 3206 views

Hi All,

 

I'm using FortiSIEM 5.2.6 and having issues with the XML parser in parsing TrendMicro Deep Security logs.

 

I'm getting below error when I test the parser

 

Line No 6 Column No 38 Failed to execute node: collectFieldsByRegex. Please check the usage of API and attribute name.

 

I'm trying to fix the error but not sure where to make the changes. Below is the parser that I'm using:

 

<patternDefinitions>

<pattern name="patTMRole"><![CDATA[Control Manager|Deep Security Agent|Deep Security Manager]]></pattern>

</patternDefinitions>

<eventFormatRecognizer><![CDATA[\s+CEF:\d+\|Trend Micro\|<:patTMRole>\|]]></eventFormatRecognizer>

<parsingInstructions>

<collectFieldsByRegex src="$_rawmsg">

<regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+(?:<_year:gPatYear>\s+)?<_time:gPatTime>\s+<:gPatHostName>\s+CEF:\d+\|Trend Micro\|<_role:patTMRole>\|<_body:gPatMesgBody>]]></regex>

</collectFieldsByRegex>

<collectAndSetAttrByPos sep="|" src="$_body">

<attrPosMap attr="_version" pos="1"/>

<attrPosMap attr="_sigId" pos="2"/>

<attrPosMap attr="_name" pos="3"/>

<attrPosMap attr="eventSeverity" pos="4"/>

<attrPosMap attr="_body" pos="5"/>

</collectAndSetAttrByPos>

<choose>

<when test="exist _year">

<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute>

</when>

<otherwise>

<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>

</otherwise>

</choose>

<setEventAttribute attr="_name">replaceStringByRegex($_name, "\s+\(CVE-[^)]*\)", "")</setEventAttribute>

<setEventAttribute attr="_name">replaceStringByRegex($_name, "\s", "_")</setEventAttribute>

<choose>

<when test="$_role = 'Deep Security Manager'">

<setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurity-", $_name, "-", $_sigId)</setEventAttribute>

</when>

<when test="$_role = 'Deep Security Agent'">

<setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurityAgent-", $_name, "-", $_sigId)</setEventAttribute>

</when>

<when test="$_role = 'Control Manager'">

<setEventAttribute attr="eventType">combineMsgId("Trend-ControlManager-", $_name, "-", $_sigId)</setEventAttribute>

</when>

<otherwise>

<setEventAttribute attr="_role">replaceStringByRegex($_role, "\s+", "")</setEventAttribute>

<setEventAttribute attr="eventType">combineMsgId("Trend-", $_role, "-", $_name, "-", $_sigId)</setEventAttribute>

</otherwise>

</choose>

<when test='$eventSeverity = "0"'>

<setEventAttribute attr="eventSeverity">1</setEventAttribute>

</when>

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">

<attrKeyMap attr="appTransportProto" key="app="/>

<attrKeyMap attr="destIpAddr" key="dst="/>

<attrKeyMap attr="destName" key="dhost="/>

<attrKeyMap attr="destMACAddr" key="dmac="/>

<attrKeyMap attr="destDomain" key="dntdom="/>

<attrKeyMap attr="destIpPort" key="dpt="/>

<attrKeyMap attr="targetUser" key="duser="/>

<attrKeyMap attr="reptDevName" key="dvchost="/>

<attrKeyMap attr="fileName" key="fname="/>

<attrKeyMap attr="recvBytes" key="in="/>

<attrKeyMap attr="sentBytes" key="out="/>

<attrKeyMap attr="srcIpAddr" key="src="/>

<attrKeyMap attr="srcName" key="shost="/>

<attrKeyMap attr="srcMACAddr" key="smac="/>

<attrKeyMap attr="srcDomain" key="sntdom="/>

<attrKeyMap attr="srcIpPort" key="spt="/>

<attrKeyMap attr="srcUser" key="suser="/>

<attrKeyMap attr="user" key="suser="/>

<attrKeyMap attr="startTime" key="start="/>

<attrKeyMap attr="ipProto" key="proto="/>

<attrKeyMap attr="count" key="cnt1="/>

<attrKeyMap attr="tcpFlags" key="cs2="/>

<attrKeyMap attr="dataPayload" key="TrendMicroDsPacketData="/>

</collectAndSetAttrByKeyValuePair>

<switch>

<case>

<collectFieldsByRegex src="$_rawmsg">

<regex><![CDATA[ msg=<msg:gPatMesgBody>]]></regex>

</collectFieldsByRegex>

</case>

<default/>

</switch>

</parsingInstructions>

 

Log that I'm trying to Parse:

<46>2021-08-12T22:38:27+02:00 VMPPTTDS CEF:0|Trend Micro|Deep Security Manager|20.0.366|1533|A computer reboot is required to complete an Anti-Malware cleanup or restoration task|3|src=10.1.1.12 suser=System target=TestMachine msg=The Anti-Malware engine requires that the computer be rebooted to complete a cleanup or restoration task. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0

 

Your suggestions and help would be appreciated.

 

Thank you

<patternDefinitions><pattern name="patTMRole"><![CDATA[Control Manager|Deep Security Agent|Deep Security Manager]]></pattern></patternDefinitions><eventFormatRecognizer><![CDATA[\s+CEF:\d+\|Trend Micro\|<:patTMRole>\|]]></eventFormatRecognizer><parsingInstructions><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+(?:<_year:gPatYear>\s+)?<_time:gPatTime>\s+<:gPatHostName>\s+CEF:\d+\|Trend Micro\|<_role:patTMRole>\|<_body:gPatMesgBody>]]></regex></collectFieldsByRegex><collectAndSetAttrByPos sep="|" src="$_body"><attrPosMap attr="_version" pos="1"/><attrPosMap attr="_sigId" pos="2"/><attrPosMap attr="_name" pos="3"/><attrPosMap attr="eventSeverity" pos="4"/><attrPosMap attr="_body" pos="5"/></collectAndSetAttrByPos><choose><when test="exist _year"><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute></when><otherwise><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></otherwise></choose><setEventAttribute attr="_name">replaceStringByRegex($_name, "\s+\(CVE-[^)]*\)", "")</setEventAttribute><setEventAttribute attr="_name">replaceStringByRegex($_name, "\s", "_")</setEventAttribute><choose><when test="$_role = 'Deep Security Manager'"><setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurity-", $_name, "-", $_sigId)</setEventAttribute></when><when test="$_role = 'Deep Security Agent'"><setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurityAgent-", $_name, "-", $_sigId)</setEventAttribute></when><when test="$_role = 'Control Manager'"><setEventAttribute attr="eventType">combineMsgId("Trend-ControlManager-", $_name, "-", $_sigId)</setEventAttribute></when><otherwise><setEventAttribute attr="_role">replaceStringByRegex($_role, "\s+", "")</setEventAttribute><setEventAttribute attr="eventType">combineMsgId("Trend-", $_role, "-", $_name, "-", $_sigId)</setEventAttribute></otherwise></choose><when test='$eventSeverity = "0"'><setEventAttribute attr="eventSeverity">1</setEventAttribute></when><collectAndSetAttrByKeyValuePair sep=" " src="$_body"><attrKeyMap attr="appTransportProto" key="app="/><attrKeyMap attr="destIpAddr" key="dst="/><attrKeyMap attr="destName" key="dhost="/><attrKeyMap attr="destMACAddr" key="dmac="/><attrKeyMap attr="destDomain" key="dntdom="/><attrKeyMap attr="destIpPort" key="dpt="/><attrKeyMap attr="targetUser" key="duser="/><attrKeyMap attr="reptDevName" key="dvchost="/><attrKeyMap attr="fileName" key="fname="/><attrKeyMap attr="recvBytes" key="in="/><attrKeyMap attr="sentBytes" key="out="/><attrKeyMap attr="srcIpAddr" key="src="/><attrKeyMap attr="srcName" key="shost="/><attrKeyMap attr="srcMACAddr" key="smac="/><attrKeyMap attr="srcDomain" key="sntdom="/><attrKeyMap attr="srcIpPort" key="spt="/><attrKeyMap attr="srcUser" key="suser="/><attrKeyMap attr="user" key="suser="/><attrKeyMap attr="startTime" key="start="/><attrKeyMap attr="ipProto" key="proto="/><attrKeyMap attr="count" key="cnt1="/><attrKeyMap attr="tcpFlags" key="cs2="/><attrKeyMap attr="dataPayload" key="TrendMicroDsPacketData="/></collectAndSetAttrByKeyValuePair><switch><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[ msg=<msg:gPatMesgBody>]]></regex></collectFieldsByRegex></case><default/></switch></parsingInstructions>
    Terms & ConditionsAccessibility statement