Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

cmaldonado
New Contributor II

Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
5 REPLIES 5
KarnGriffen
New Contributor III

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
cmaldonado

Greetings,

That's how it is. I measured it for testing.

I have been testing the parser but with the default configuration it throws an error.

Below I attach the default configuration:

MessageImages_9f5e10b5bac94539909f515b283f0492.png
when reforming the code, it throws the error indicated above.
KarnGriffen

Carlos,

I don't understand what you mean by "That's how it is. I measured it for testing."  The original parser and your parser are different on that line.  The original is sep=" and yours is sep=" ".  I suspect there is an issue with the interpretation of the new " you have added.  Can you post a sample of the log you are working with?  Also in the screenshot above, can you post it not showing the error box?  I'd like to see the color coding there to see if the line is formatted correctly.

Thanks,

Karn
KarnGriffen

Carlos,

I think I see what you mean. Try this:

Clone the original.  Add the change so it reads:
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Highlight all the text and perform a Ctrl-C to copy it.  Then hit "Clear XML". Ctrl-V paste the copied text back into the screen.  Hit Reformat.  Hit Validate. 

I was able to get the cloned parser to Validate that way:

UploadedImages_sPPEh0voS5GEamPbVdV3_Screen Shot 2021-07-19 at 9.50.33 AM.png

cmaldonado

Hello excellent.

Thank you very much, there is just the solution. It already allows me to validate and save.

Problem solved.