I am new to FortiSIEM and i could be making some obvious mistake but kindly help. We onboarded a custom application onto FSM and wanted to build custom parser so that we can get notified of failed logins. I tried building one and i Keep running into the same issue "Failed to execute node: collectFieldsByRegex. Please check the usage of API and attribute name." Not sure why.. My xml is as below:
<eventFormatRecognizer><![CDATA[SOE: BAD\s+]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<reptDevName:gPatHostName>\s+SOE:\s+<_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[?:SIGN-ON <srcIpAddr:gPatIpAddr>\s+\(<:gPatStr>\)\s+<:gPatStr>\s+-\s+d+\s+<:gPatStr>\.<:gPatStr>:\s+<:gPatStr>\s+<:gPatStr>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">Custom App: Failed Login</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
</parsingInstructions>
The Logs am trying to Parse are as below. Changed a few things due to privacy reasons
<134>Apr 20 19:53:14 computerA SOE: BAD SIGN-ON 0T2.2.2.2.1 (CAP34.2.1) CAP34.2 - 1 APP1.MIS: APP1 USERNAME1
<134>Apr 20 19:05:22 computerA SOE: BAD SIGN-ON 9N0T2.3.3.3.1 (THOR1.3.1) THOR1.3 - 1 MICRO PC APP2.MIS: APP2 USERNAME3 USERNAME3 USERNAME3
<134>Apr 19 19:24:29 computerC SOE: BAD SIGN-ON 9N0T1.1.14.1.1 (SPI2.1.1) SPI2.1 - 1 APP3.MIS: APP3 USERNAME44 USERNAME44 USERNAME44
<134>Apr 19 16:42:45 computerD SOE: BAD SIGN-ON 7N0T4.1.4.1.2 (IRN22.1.2) IRN22.1 - 2 APP3.MIS: APP3 USERNAME55 USERNAME55 USERNAME55
2 Solutions
Thank You @cdurkin_FTNT for the response. Not sure if its my Side but now i am running into the below error:
