Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

cmaldonado
New Contributor II

Created on ‎07-02-2021 12:40 PM

Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
Labels:
1810
0 Kudos
5 REPLIES 5
KarnGriffen
New Contributor III

Created on ‎07-08-2021 04:19 PM

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
1793
0 Kudos
cmaldonado
New Contributor II
In response to KarnGriffen

Created on ‎07-19-2021 09:08 AM

Greetings,

That's how it is. I measured it for testing.

I have been testing the parser but with the default configuration it throws an error.

Below I attach the default configuration:

MessageImages_9f5e10b5bac94539909f515b283f0492.png
when reforming the code, it throws the error indicated above.
1793
0 Kudos
KarnGriffen
New Contributor III
In response to cmaldonado

Created on ‎07-19-2021 09:42 AM

Carlos,

I don't understand what you mean by "That's how it is. I measured it for testing."  The original parser and your parser are different on that line.  The original is sep=" and yours is sep=" ".  I suspect there is an issue with the interpretation of the new " you have added.  Can you post a sample of the log you are working with?  Also in the screenshot above, can you post it not showing the error box?  I'd like to see the color coding there to see if the line is formatted correctly.

Thanks,

Karn
1793
0 Kudos
KarnGriffen
New Contributor III
In response to cmaldonado

Created on ‎07-19-2021 09:54 AM

Carlos,

I think I see what you mean. Try this:

Clone the original.  Add the change so it reads: 
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Highlight all the text and perform a Ctrl-C to copy it.  Then hit "Clear XML". Ctrl-V paste the copied text back into the screen.  Hit Reformat.  Hit Validate. 

I was able to get the cloned parser to Validate that way:

UploadedImages_sPPEh0voS5GEamPbVdV3_Screen Shot 2021-07-19 at 9.50.33 AM.png

1793
cmaldonado
New Contributor II
In response to KarnGriffen

Created on ‎07-19-2021 10:39 AM

Hello excellent.

Thank you very much, there is just the solution. It already allows me to validate and save.

Problem solved.
1793
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.