Custom Parser Order Issue

Ali_Maher · ‎08-10-2024

Hello,

I have tested the below event and the related parser and it's working fine but after applying the changes the log event still parsed by the SyslogNGParser.

<!--
<187>Feb 10 15:00:21 CCServer failed login attempt for Dan from 192.168.0.1
-->
<eventFormatRecognizer><![CDATA[CCServer]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+<:gPatStr>\s+<_body:gPatMesgBody>]]>
</regex>
</collectFieldsByRegex>
<collectFieldsByRegex src="$_body">
<regex>
<![CDATA[failed login attempt for <user:gPatStr> from <srcIpAddr:gPatIpV4Dot>]]>
</regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType"> Login-Failure </setEventAttribute>
<setEventAttribute attr="eventSeverity"> 5 </setEventAttribute>
<!-- This is the End -->
</parsingInstructions>d

BR, Ali Maher

premchanderr · ‎09-25-2024

Hi @Ali_Maher ,

SyslogNGParser is the default system parser, is always the first one, and is designed not to be moved. It parses all the matching logs for Generic device types.

To bypass SyslogNGParser for any device particularly, you can go to the GUI > CMDB, select the device, then Edit it and click on the Parsers tab (Screenshot attached)
1. Choose the parser from Available Parsers
2. Click the >
3. The selected parser will appear in the Selected Parsers
4. Click Save
5. Admin > Device Support > Parsers and click on the Apply button and give it a minute
5. Restart the phParser process on the collector/Supervisor
#killall -9 phParser
6. Check for the parser functionality

Regards,
Prem Chander R

Custom Parser Order Issue

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website