Help
FortiSIEM Discussions
thiago_inorpel
New Contributor II

Created on ‎04-16-2025 09:01 AM

Format event and Parser File

Greetings community!
We are now receiving events from the Kaspersky cloud in FortiSIEM, where the format is a "System Log", and it has the following structure, for example:

<14>1 2025-04-15T12:50:06.047Z | - TEST_SIEM_CONNECTION [event@23668 et="TEST_SIEM_CONNECTION" etdn="Test Siem Connection"]


<14>1 2025-04-15T01:34:49.000Z xxx_hostedinst_xxxxx.openstacklocal 1093|1.0.0.0 - KLAUD_EV_SERVERCONNECT [event@23668 p2="x.x.x.x" p3="2x\\xx" p5="x.x.x.x" p9="::1" et="KLAUD_EV_SERVERCONNECT" etdn="Audit (connection to the Administration Server)" hdn="<xxxx>" hip="x.x.x.x" gn="Managed devices" kscfqdn="xxx.openstacklocal"] User "2xxx" has connected to the Administration Server from "x.x.x.x".

As a result, the events are arriving as "Unknow_events", precisely because there is no parser for this type of log. I created a new parser file at this first moment just to test the simplest events, for example: <14>1 2025-04-15T12:50:06.047Z | - TEST_SIEM_CONNECTION [event@23668 et="TEST_SIEM_CONNECTION" etdn="Test Siem Connection"].
The contents of the parser.xml below:

 

<eventFormatRecognizer>
<![CDATA[TEST_SIEM_CONNECTION]]>
</eventFormatRecognizer>
<patternDefinitions>
<pattern name="patTimestamp"><![CDATA[\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z]]></pattern>
<pattern name="patWord"><![CDATA[\S+]]></pattern>
<pattern name="patQuotedString"><![CDATA[[^"]+]]></pattern>
</patternDefinitions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[<\d+>1\s+(?P<deviceReceiptTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)\s+\|\s+-\s+(?P<eventType>\S+)\s+\[event@\d+\s+et="(?P<et>[^"]+)"\s+etdn="(?P<etdn>[^"]+)"\]]]>
</regex>
</collectFieldsByRegex>
<parsingInstructions>
<setEventAttribute attr="eventType">Kaspersky-TEST_SIEM_CONNECTION</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
<setEventAttribute attr="msg">$etdn</setEventAttribute>
</parsingInstructions>

 
I made sure that the content of the xml parser was ok, and I also validated both the regex in the python script and in regex101, to make sure that all the parameters of this event were matching as shown below:

regex_validation.png

When I perform the parser test on Fortisiem itself to enable it, an error occurs, and the reason for this is not reported.

siem_fail.png


Does anyone have any idea why this is happening? Or any other strategy to address this issue, either in the GUI or by accessing one of the Fortisiem components. Any help is welcome. Thanks

Labels:
497
0 Kudos
1 Solution
cdurkin_FTNT
Staff
Staff

Created on ‎04-17-2025 09:53 AM

Try this...

<eventFormatRecognizer><![CDATA[\s+TEST_SIEM_CONNECTION\s+]]></eventFormatRecognizer>
<parsingInstructions>
<collectAndSetAttrByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI><:gPatStr>\s+<_year:gPatYear>-<_mon:gPatMon>-<_day:gPatDay>T<_time:gPatTimeMSec><_tz:gPatTimeZone>\s+\|\s+-\s+TEST_SIEM_CONNECTION\s+\[event\@\d+\s+et=\"<:gPatStrDQ>\"\s+etdn=\"<_etdn:gPatStrDQ>\"\]]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>

<setEventAttribute attr="eventType">Kaspersky-TEST_SIEM_CONNECTION</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
<setEventAttribute attr="msg">$_etdn</setEventAttribute>
</parsingInstructions>


It will only parse the first message though...  I think you would need to have a few more samples to actually parse those Kaspersky Cloud events successfully.

 

View solution in original post

442
2 REPLIES 2
Secusaurus
Contributor III

Created on ‎04-17-2025 12:15 AM

Hi @thiago_inorpel,

 

I am not sure if the empty line of "Used Parser" means that the parser just did not correlate to the event, but from what I see, the eventFormatRecognizer looks correct.

Looking at

<![CDATA[<\d+>1\s+(?P<deviceReceiptTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)\s+\|\s+-\s+(?P<eventType>\S+)\s+\[event@\d+\s+et="(?P<et>[^"]+)"\s+etdn="(?P<etdn>[^"]+)"\]]]>

 it feels like you are misusing the reference to other regex here, because the definition of the brackets is:

<resultingVariable:regexToMatchAgainst>

So, for example, from

<collectFieldsByRegex src="$_rawmsg">
    <regex><![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+<:gPatStr>\s+<_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>

you should get the $_body out of that, but are using the regex-patterns gPatSyslogPRI, gPatMon, etc.

 

Hope that helps to move one step further.

 

Best,

Christian

FCX #003451 | Fortinet Advanced Partner
FCX #003451 | Fortinet Advanced Partner
458
cdurkin_FTNT
Staff
Staff

Created on ‎04-17-2025 09:53 AM

Try this...

<eventFormatRecognizer><![CDATA[\s+TEST_SIEM_CONNECTION\s+]]></eventFormatRecognizer>
<parsingInstructions>
<collectAndSetAttrByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI><:gPatStr>\s+<_year:gPatYear>-<_mon:gPatMon>-<_day:gPatDay>T<_time:gPatTimeMSec><_tz:gPatTimeZone>\s+\|\s+-\s+TEST_SIEM_CONNECTION\s+\[event\@\d+\s+et=\"<:gPatStrDQ>\"\s+etdn=\"<_etdn:gPatStrDQ>\"\]]]></regex>
</collectAndSetAttrByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>

<setEventAttribute attr="eventType">Kaspersky-TEST_SIEM_CONNECTION</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
<setEventAttribute attr="msg">$_etdn</setEventAttribute>
</parsingInstructions>


It will only parse the first message though...  I think you would need to have a few more samples to actually parse those Kaspersky Cloud events successfully.

 

443
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.