Does anyone parser user information in Netscaler parser, especially login/off information is needed, but logout user and duration information does not come in the default parser.
Do you have an example log?
And it seems like the built-in parser is supposed to pluck out user, duration and a lot of other stuff
below is the snippet for sslvpn logout
<when test="$eventType = 'NETSCALER-SSLVPN-LOGOUT'"><collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User <user:gPatStr> - Client_ip <hostIpAddr:gPatIpAddr> - Nat_ip (?:<postNATSrcIpAddr:gPatIpAddr>|"<:patStrEndQuote>"|<:gPatStr>) - Vserver <hostName:gPatStrEndColon>:<ipPort:gPatInt> - Start_time "<:patStrEndQuote>" - End_time "<:patStrEndQuote>" - Duration <durationMSec:gPatStr> - Http_resources_accessed <httpTotalAccesses:gPatStr> - NonHttp_services_accessed <:gPatStr> - Total_TCP_connections <:gPatInt> - Total_UDP_flows <:gPatInt> - Total_policies_allowed <:gPatInt> - Total_policies_denied <:gPatInt> - Total_bytes_send <sentBytes64:gPatInt> - Total_bytes_recv <recvBytes64:gPatInt> - Total_compressedBytes_send <:gPatInt> - Total_compressedBytes_recv <:gPatInt> - Compression_ratio_send <:gPatStr> - Compression_ratio_recv <:gPatStr> - LogoutMethod "<:patStrEndQuote>" - Group\(s\) "<userGrp:patStrEndQuote>"]]></regex></collectAndSetAttrByRegex>
Same goes for AAATM-logouts
<when test="$eventType = 'NETSCALER-AAATM-LOGOUT'"><switch><case><collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User <user:gPatStr> - Client_ip <hostIpAddr:gPatIpAddr> - Nat_ip <postNATSrcIpAddr:gPatIpAddr> - Vserver <hostName:gPatStrEndColon>:<ipPort:gPatInt> - Start_time "<:patStrEndQuote>" - End_time "<:patStrEndQuote>" - Duration <durationMSec:gPatStr> - Http_resources_accessed <httpTotalAccesses:gPatStr> - Total_TCP_connections <:gPatInt> - Total_policies_allowed <:gPatInt> - Total_policies_denied <:gPatInt> - Total_bytes_send <sentBytes64:gPatInt> - Total_bytes_recv <recvBytes64:gPatInt> - Total_compressedBytes_send <:gPatInt> - Total_compressedBytes_recv <:gPatInt> - Compression_ratio_send <:gPatStr> - Compression_ratio_recv <:gPatStr> - LogoutMethod "<:patStrEndQuote>" - Group\(s\) "<userGrp:patStrEndQuote>"]]></regex></collectAndSetAttrByRegex>
I have a sample log but it does not make parser
Right, so I've fiddled a bit with the parser using your example raw log
The fix I made to make it parse the above log was on row 184 (regex for NETSCALER-SSLVPN-LOGOUT)
<when test="$eventType = 'NETSCALER-SSLVPN-LOGOUT'">
The regex looking for Total_compressedbytes_send & Total_compressedbytes_recv differs slightly from your logs, as in the parser, those fields are looked for with bytes having a capital B
For brevity:
Original regex
<collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User <user:gPatStr> - Client_ip <hostIpAddr:gPatIpAddr> - Nat_ip (?:<postNATSrcIpAddr:gPatIpAddr>|"<:patStrEndQuote>"|<:gPatStr>) - Vserver <hostName:gPatStrEndColon>:<ipPort:gPatInt> - Start_time "<:patStrEndQuote>" - End_time "<:patStrEndQuote>" - Duration <durationMSec:gPatStr> - Http_resources_accessed <httpTotalAccesses:gPatStr> - NonHttp_services_accessed <:gPatStr> - Total_TCP_connections <:gPatInt> - Total_UDP_flows <:gPatInt> - Total_policies_allowed <:gPatInt> - Total_policies_denied <:gPatInt> - Total_bytes_send <sentBytes64:gPatInt> - Total_bytes_recv <recvBytes64:gPatInt> - Total_compressedBytes_send <:gPatInt> - Total_compressedBytes_recv <:gPatInt> - Compression_ratio_send <:gPatStr> - Compression_ratio_recv <:gPatStr> - LogoutMethod "<:patStrEndQuote>" - Group\(s\) "<userGrp:patStrEndQuote>"]]></regex></collectAndSetAttrByRegex>
And what you should change it to
<collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User <user:gPatStr> - Client_ip <hostIpAddr:gPatIpAddr> - Nat_ip (?:<postNATSrcIpAddr:gPatIpAddr>|"<:patStrEndQuote>"|<:gPatStr>) - Vserver <hostName:gPatStrEndColon>:<ipPort:gPatInt> - Start_time "<:patStrEndQuote>" - End_time "<:patStrEndQuote>" - Duration <durationMSec:gPatStr> - Http_resources_accessed <httpTotalAccesses:gPatStr> - NonHttp_services_accessed <:gPatStr> - Total_TCP_connections <:gPatInt> - Total_UDP_flows <:gPatInt> - Total_policies_allowed <:gPatInt> - Total_policies_denied <:gPatInt> - Total_bytes_send <sentBytes64:gPatInt> - Total_bytes_recv <recvBytes64:gPatInt> - Total_compressedbytes_send <:gPatInt> - Total_compressedbytes_recv <:gPatInt> - Compression_ratio_send <:gPatStr> - Compression_ratio_recv <:gPatStr> - LogoutMethod "<:patStrEndQuote>" - Group\(s\) "<userGrp:patStrEndQuote>"]]></regex></collectAndSetAttrByRegex>
Hope this works for you!
Created on 07-23-2024 05:56 AM Edited on 07-23-2024 07:52 AM
Thank you for reply. I anonymised the name and ip and shared the log and it worked in this log, but I got the same error on the real log. We can think of the name as Nisse, John. Userroot did not give an error, perhaps because it hit the field within itself
Hey there,
I gathered the sample log you provided, and If you can privately message me a list of some of the other logs if varying. We'll update the system parser for these items, and push them out via content update soon.
Hi @Rob_SIEM
I'm actually having a problem with eventType = 'NETSCALER-SSLVPN-LOGOUT for the moment. It gives an error in this field in a real name. Since the events do not come as unknown, it is not possible to check all events.
Can you describe the error, you are saying certain usernames are not parsing correctly to the user field, but some are?
You can run an aggregate report to check in analytics:
Event Type = NETSCALER-SSLVPN-LOGOUT
Then click the hamburger menu for the display/aggregate columns, remove event receive time/raw event and all other columns except for the following. Then add a row for user, and one more row for count(matched events) and click run.
This will show the format of all users for that specific event type. Are there unusual formats to those users such as whitespace or '-' in the names?
Thanks,
Created on 07-23-2024 10:16 AM Edited on 07-23-2024 10:17 AM
To explain exactly, I shared a sample log above, this is my real log, I anonymised the ip and names in it and in this way I did not have a problem in the parser, but I got the same error with real values.When I check the logs, it does not come unknown, but it does not seem to parse information such as user and duration.
Got it, I'm able to replicate, we will review and fix the parser.
Thanks!
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.