Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiSIEM Discussions
- Fortinet Community
- Community Groups
- FortiSIEM
- Discussions
- Customer Parser keep failed in Log test
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Customer Parser keep failed in Log test
HI,
I am tring to test the the following custome parser (new) against the logs: but it keeps failed with no error
----------------
NAT44 SDEL 2025 Jun 02 13:56:05:31 ABCD 6 10 10.62.131.207 49360 6 185.44.76.92 1024 8.8.8.8 53 8.8.8.8 policy1 -
----------------
<parser>
<patternDefinitions>
<pattern name="gInt"><![CDATA[\d+]]></pattern>
<pattern name="gIPv4"><![CDATA[\d{1,3}(?:\.\d{1,3}){3}]]></pattern>
<pattern name="gWord"><![CDATA[\S+]]></pattern>
<pattern name="gTimeStamp"><![CDATA[\d{4} \w{3} \d{2} \d{2}:\d{2}:\d{2}:\d{2}]]></pattern>
</patternDefinitions>
<eventFormatRecognizer>
<![CDATA[LSN44 SDEL]]>
</eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[ <NATIndicator:gWord>\s+SDEL\s+<eventTime:gTimeStamp>\s+ <country:gWord>\s+ <protoFam1:gInt>\s+ <proto1:gInt>\s+ <srcIP:gIPv4>\s+ <srcPort:gInt>\s+ <natProtoFam:gInt>\s+ <natIP:gIPv4>\s+ <natPort:gInt>\s+ <dstIP:gIPv4>\s+ <dstPort:gInt>\s+ <realDstIP:gIPv4>\s+ <natPolicy:gWord>\s+- ]]>
</regex>
</collectFieldsByRegex>
</parsingInstructions>
</parser>
BA
BA
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BahaaAli,
Please compare your format recognizer and the event itself. If this is a 1:1 copy of your information, then the parser looks for the string "LSN44 SDEL", which is not present in the log. Probably you like to look for "LSN44" OR "SDEL"? If this is the case, you might need to use the correct regex-pattern.
Also, I often get fooled by that as well. The test does rarely fail with "no error". You may need to scroll to the right or click on the line to see the error. In your case, I assume it will tell you that no parser or another parser than the one you test would be used for this log line.
I hope that helps.
Best,
Christian
FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the useful comments, now my parser passed validation and log testing but no data extracted only static data, my log line is: LSN44 SDEL 2025 Jun 14 17:08:45:29 IRAQ 17 10 10.62.223.218 57952 10 83.171.206.123 32988 184.72.255.160 9930 184.72.255.160 nat-policy-1 b23.f14.f70 , and the barser is:
"<parser name="Nokia_LSN44_SDEL_Minimal">
<eventFormatRecognizer><![CDATA[LSN44 SDEL]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[ LSN44 SDEL\s+(\d{4} \w{3} \d{2} \d{2}:\d{2}:\d{2}:\d{2})\s+(\S+)\s+(\d+)\s+(\d+)\s+(\d{1,3}(?:\.\d{1,3}){3})\s+(\d+)\s+(\d+)\s+(\d{1,3}(?:\.\d{1,3}){3})\s+(\d+)\s+(\d{1,3}(?:\.\d{1,3}){3})\s+(\d+)\s+(\d{1,3}(?:\.\d{1,3}){3})\s+(\S+)\s+(\S+) ]]></regex>
<setAttrFromMatch attr="eventTime" index="1"/>
<setAttrFromMatch attr="hostGeoCountry" index="2"/>
<setAttrFromMatch attr="protoFam1" index="3"/>
<setAttrFromMatch attr="ipProto" index="4"/>
<setAttrFromMatch attr="srcIpAddr" index="5"/>
<setAttrFromMatch attr="srcIpPort" index="6"/>
<setAttrFromMatch attr="natProtoFam" index="7"/>
<setAttrFromMatch attr="postNATSrcIpAddr" index="8"/>
<setAttrFromMatch attr="postNATSrcIpPort" index="9"/>
<setAttrFromMatch attr="destIpAddr" index="10"/>
<setAttrFromMatch attr="destIpPort" index="11"/>
<setAttrFromMatch attr="realDstIP" index="12"/>
<setAttrFromMatch attr="policyId" index="13"/>
<setAttrFromMatch attr="bgpInfo" index="14"/>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">Nokia_LSN44_SDEL</setEventAttribute>
</parsingInstructions>
</parser>"
BA
BA
Announcements
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
Labels
-
FortiSIEM
166 -
Parsers
7 -
Rules
5 -
ClickHouse
4 -
fortisiem v7.2.0
4 -
FortiSIEM v6.x
4 -
integration
4 -
API
4 -
Agent Linux
3 -
database
3 -
Agent
3 -
FortiSIEM Cloud
3 -
Collector
3 -
External System Integration
3 -
FortiGate
3 -
lookuptables
2 -
FortiAnalyzer
2 -
Source Code
2 -
Collector Agent
2 -
Supervisor
2 -
FortiSiem 7.1
2 -
watchlist
2 -
SAML
2 -
Analytics & Reporting
2 -
GUI
2 -
Incidents
2 -
CMDB
2 -
Redhat 8
1 -
eventdb
1 -
Impact
1 -
"FortiSIEM Incidents"
1 -
Rocky Linux 8
1 -
Oracle Linux 8
1 -
Partnership Inquiry
1 -
lookups
1 -
o
1 -
OPManager
1 -
RBAC
1 -
User Control
1 -
Audit log
1 -
CMMC
1 -
Reference Files
1 -
Hi
1 -
cisco wsa
1 -
Audit
1 -
Report-Rules-Dashboards
1 -
FortiClient
1 -
FortiAuthenticator v5.5
1 -
upgrade
1 -
IPsec
1 -
Migration
1 -
External Connectors
1 -
LDAP
1 -
Report
1 -
Microsoft Office365
1 -
Azure
1 -
Cisco
1 -
discovery
1 -
Reference Material
1 -
Alma Linux 8
1 -
Notifications
1 -
Expressions
1 -
Architecture
1 -
FortiSASE
1 -
Status
1 -
MySQL
1 -
Internet service database
1 -
Dashboard
1 -
Usage
1 -
Certificate
1 -
enrichement
1 -
Windows Defender
1
Top Kudoed Authors
| User | Count |
|---|---|
| 72 | |
| 25 | |
| 15 | |
| 10 | |
| 10 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.