- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot Enable a new parser which passes validation and testing SIEM 7.1.3 GUI Parser window
Hello,
I now have new parser. When I go to the Admin -> Device support -> Parsers
I can see my parser I try to check the box in the Enable column
it then opens the parser window showing the code. Here you can see the Enable state is checked
If I pick Validate it validates if I select Test it tests successfully. if I select Save it says parser not validated or test failed which makes no sense. If I select cancel it just take me back to the list view of parsers.
it is stuck in some kind of loop, there is no way for me to enable the parser , I cannot get to the Apply option.
also if I start in the list view and select Edit it takes me in the parser code where again I select validate and it validates and then I select test and it tests successfully, but Enable is greyed out via this menu path that I take.
Solved! Go to Solution.
- Labels:
-
FortiSIEM
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks good to me.. You should now be able to enable the parser. Don't forget to t hit apply afterwards so it gets pushed out to your collectors
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you run you test and you say it passed, did you scroll down through all the test. Sometimes a test will fail at the bottom of the list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Above is snapshot following a 'Test' there is not indication of failure.
Nothing Red.
Can someone please point me to the steps to Apply a parser, during testing, a message usually showed within a red stripe saying a failure there was no red stripe with any message.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not to be a pest but did you actually hit the test button at the top after you got to the test screen. It doesn't appear so in the screen shot. It should look something like this when you do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should you run the test and there are no red lines in the result section. The enable check mark should no longer be greyed out. If it is I would open a ticket with support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also I have found that doing things with parsers seems to work better in chrome. Firefox and edge tend to have weird-isms, when you edit the parser.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
@kcanalichio, Nope not a pest at all deliberate line of questioing is part of engineering a system. ok here is what I ask, the steps you would like me to take.
According to the 7.1.3 FortiSIEM User Guide it states:
1. Go to ADMIN > Device Support > Parsers.
2. Select a parser that is above the location in the list where you want to add your parser, and click New.
3. Enter a Name for the parser.
4. Select a Device Type from the drop-down list to which the parser should apply.
If the device type doesn't appear in the menu, you should create a new device type.
5. Enter a Test containing an example of an event that you want to use to validate the parser.
6. Enter the Parser XML.
7. Click Validate.
This will validate the XML.
8. Click Test.
This will send the test event to the parser to make sure it is parsed correctly, and will also test the parsers
above and below yours in the list to make sure they continue to parse logs correctly.
9. If the XML for your parser validates and the test event is correctly parsed, select Enable.
If you must continue working on your parser, you can Save it without selecting Enable.
10. Add a Description of the Parser.
11. Click Save.
12. Click Apply to have the back-end module pick up your parser and begin applying it to device logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also other people seem to having some issues.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need to add 8.5 select test again once you get to the new screen. This new screen give you the option to add new events you want to test.
step 5 should be done here
These instructions seem very out of date , almost like they forgot to modify the seim version4 instruction when it was still using flash
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kcanalichio
Sorry 8.5? Not sure what you are referring to.