FortiSIEM Custom Parser

isuru · ‎09-12-2020

Hi,

I have created a custom parser and I am unable to validate the parser. (When I click the "Validate" button it does not perform the underlying action.)

FortiSIEM version: 5.3.1

------------------------------
Cheers,
Isuru
------------------------------

Cheers,
Isuru Malawige

FSM_FTNT · ‎09-14-2020

Hi Isuru,

I havent had time to check it all, but you are missing the closing </when> statements in the <case> sections.

Try using Chrome to test.

<case>
<when test="$_event = 'barracuda WF'">
<setEventAttribute attr="eventType">Barracuda-WAF-WebFirewall</setEventAttribute>
<collectAndSetAttrByPos src="$_body" sep=" ">
<attrPosMap attr="eventSeverity" pos="1"/>
<attrPosMap attr="attackType" pos="2"/>
<attrPosMap attr="srcIpAddr" pos="3"/>
<attrPosMap attr="srcIpPort" pos="4"/>
<attrPosMap attr="destIpAddr" pos="5"/>
<attrPosMap attr="destIpPort" pos="6"/>
<attrPosMap attr="ruleId" pos="7"/>
<attrPosMap attr="ruleName" pos="8"/>
<attrPosMap attr="eventAction" pos="9"/>
<attrPosMap attr="secAction" pos="10"/>
<attrPosMap attr="attackInfo" pos="11"/>
<attrPosMap attr="httpMethod" pos="12"/>
<attrPosMap attr="infoURL" pos="13"/>
<attrPosMap attr="appTransportProto" pos="14"/>
<attrPosMap attr="sessionId" pos="15"/>
<attrPosMap attr="httpUserAgent" pos="16"/>
<attrPosMap attr="httpProxyLogin" pos="19"/>
<attrPosMap attr="httpReferrer" pos="20"/>
</collectAndSetAttrByPos>
</when>
</case>

Let me know if you are still having issues after adding the <when>

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

View solution in original post

FSM_FTNT · ‎09-14-2020

Hi Isuru,

I havent had time to check it all, but you are missing the closing </when> statements in the <case> sections.

Try using Chrome to test.

<case>
<when test="$_event = 'barracuda WF'">
<setEventAttribute attr="eventType">Barracuda-WAF-WebFirewall</setEventAttribute>
<collectAndSetAttrByPos src="$_body" sep=" ">
<attrPosMap attr="eventSeverity" pos="1"/>
<attrPosMap attr="attackType" pos="2"/>
<attrPosMap attr="srcIpAddr" pos="3"/>
<attrPosMap attr="srcIpPort" pos="4"/>
<attrPosMap attr="destIpAddr" pos="5"/>
<attrPosMap attr="destIpPort" pos="6"/>
<attrPosMap attr="ruleId" pos="7"/>
<attrPosMap attr="ruleName" pos="8"/>
<attrPosMap attr="eventAction" pos="9"/>
<attrPosMap attr="secAction" pos="10"/>
<attrPosMap attr="attackInfo" pos="11"/>
<attrPosMap attr="httpMethod" pos="12"/>
<attrPosMap attr="infoURL" pos="13"/>
<attrPosMap attr="appTransportProto" pos="14"/>
<attrPosMap attr="sessionId" pos="15"/>
<attrPosMap attr="httpUserAgent" pos="16"/>
<attrPosMap attr="httpProxyLogin" pos="19"/>
<attrPosMap attr="httpReferrer" pos="20"/>
</collectAndSetAttrByPos>
</when>
</case>

Let me know if you are still having issues after adding the <when>

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

isuru · ‎09-14-2020

Hi Dan,

Thanks for the insight. It is working as intended after the correction.

------------------------------
Cheers,
Isuru
------------------------------

Cheers,
Isuru Malawige