Device not accepting custom parser

pradarsha · ‎05-16-2025

Dear Team,

I created a simple custom parser for ZTE device , it passed all test with multiple ZTE raw logs but the device is not accepting the parser i.e the ZTE device logs are still shown "Unknown_EventType" in FortiSIEM

can some one help in identifying issue or any suggestions ?

I tried linking the parser manually in CMDB->device-edit device->parsers

Below is the log and parsers

-----------------------------------------------------------------------------------------

<eventFormatRecognizer><![CDATA[alarm-log|command-log]]></eventFormatRecognizer>
<patternDefinitions>
<pattern name="patLevel"><![CDATA[\w+-\w+]]></pattern>
<pattern name="patos"><![CDATA[TMNX]]></pattern>
<pattern name="patint"><![CDATA[alarm-log|command-log]]></pattern>
</patternDefinitions>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[<_syslogpriority:gPatSyslogPRI><_year:gPatYear>\s+<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<reptDevIpAddr:gPatIpAddr>\s*<_body:gPatMesgBody>]]>
</regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute>
<setEventAttribute attr="msg">$_body</setEventAttribute>
<setEventAttribute attr="reptVendor">ZTE</setEventAttribute>
<setEventAttribute attr="reptDevName">ZXOS</setEventAttribute>

FortiSIEM @cus

Adarsha P R

Secusaurus · ‎05-18-2025

Hi @pradarsha,

The most common issue I see, matching to your info, is that the parser is either not activated or "apply" was not pressed afterwards (note, that you need to press apply for every data type, e.g. event types, as well).

It might also be possible that there was a wrong parser-assignment when onboarding the device, although this should not matter lateron.

Anyways, removing the device from CMDB and wait (since this is syslog, it will re-appear with the next logs) should fix most of the CMDB-related issues.

If this still does not help, take some of the raw logs you receive and have another look at them, if they really match your format recognizer. If there is a device forwarding the logs in between, it might modify the string.

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

View solution in original post

Secusaurus · ‎05-18-2025

Hi @pradarsha,

The most common issue I see, matching to your info, is that the parser is either not activated or "apply" was not pressed afterwards (note, that you need to press apply for every data type, e.g. event types, as well).

It might also be possible that there was a wrong parser-assignment when onboarding the device, although this should not matter lateron.

Anyways, removing the device from CMDB and wait (since this is syslog, it will re-appear with the next logs) should fix most of the CMDB-related issues.

If this still does not help, take some of the raw logs you receive and have another look at them, if they really match your format recognizer. If there is a device forwarding the logs in between, it might modify the string.

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

pradarsha · ‎05-18-2025

Hi Christian,

Thank you for the response,

restarting PhParser fixed it.

Adarsha P R

Device not accepting custom parser

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website