Help
FortiSIEM Discussions
callmesam
New Contributor

Created on ‎10-28-2025 01:33 AM

Custom Parser Not Classifying Cisco FTD Logs (Shows as Unknown Event Type in FortiSIEM)

Hi Team,

I’m currently working on a custom parser for Cisco FTD logs in FortiSIEM, but I’m facing an issue where the events are still being shown as “Unknown Event Type” even though the parser validation is successful.

 

 

These are the logs being ingested from the FMC:

<46>Oct 22 10:09:04 FTD1: IPRep.pl: csm_processes@Default User IP, Login, Login Success
<46>Oct 22 10:03:28 FTD1: cluster_plug.pl: csm_processes@Default User IP, Login, Login Success
<46>Oct 22 10:03:26 FTD1: vpn_plug.pl: csm_processes@Default User IP, Login, Login Success
<46>Oct 22 10:03:22 FTD1: deploy_telemetry.pl: csm_processes@Default User IP, Login, Login Success
<46>Oct 22 10:03:19 FTD1: devices_plug.pl: csm_processes@Default User IP, Login, Login Success
<46>Oct 22 02:00:00 MFTD1: sfdccsm: System@Default User IP, Purge, System purged 0 number of Deployment Jobs

 

 

<eventParser>
<eventFormatRecognizer>
<![CDATA[.*FTD1.*@.*]]>
</eventFormatRecognizer>

<parsingInstructions>
<setEventAttribute attr="eventType">Cisco-FMC-Audit-Event</setEventAttribute>
<setEventAttribute attr="eventSeverity">INFO</setEventAttribute>
<setEventAttribute attr="category">System Audit</setEventAttribute>
</parsingInstructions>
</eventParser>

 

Current status:

  • The parser passes validation and matches logs in test parsing.

  • However, in the Event Explorer, events still appear as “Unknown Event Type” instead of “Cisco-FMC-Audit-Event”.

  • The parser file is created via the GUI (not manually uploaded).

  • We have not restarted any services yet.

Labels:
112
0 Kudos
1 Solution
cdurkin_FTNT
Staff
Staff

Created on ‎10-31-2025 08:32 AM

Try this as an absolute base parser ..

<eventFormatRecognizer><![CDATA[\s+M?FTD1:\s\w+]]></eventFormatRecognizer>

<parsingInstructions>

<collectAndSetAttrByRegex src="$_rawmsg">
  <regex><![CDATA[<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+M?FTD1:\s+<_body:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>

<setEventAttribute attr="eventType">Cisco-FMC-Audit-Event</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
</parsingInstructions>

View solution in original post

78
0 Kudos
2 REPLIES 2
cdurkin_FTNT
Staff
Staff

Created on ‎10-31-2025 08:32 AM

Try this as an absolute base parser ..

<eventFormatRecognizer><![CDATA[\s+M?FTD1:\s\w+]]></eventFormatRecognizer>

<parsingInstructions>

<collectAndSetAttrByRegex src="$_rawmsg">
  <regex><![CDATA[<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+M?FTD1:\s+<_body:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>

<setEventAttribute attr="eventType">Cisco-FMC-Audit-Event</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
</parsingInstructions>
79
0 Kudos
callmesam
New Contributor
In response to cdurkin_FTNT

Created on ‎11-02-2025 01:09 AM

Thank you @cdurkin_FTNT 

52
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.