Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎07-10-2024 12:14 AM

PAM360 Parser

Hi

I have a PAM360 Parser, but it can miss users. Does anyone have a parser related to this?

758
0 Kudos
11 REPLIES 11
kcanalichio
New Contributor III

Created on ‎07-10-2024 05:16 AM

Here is my PAm360 Parser, its pretty basic though

 

<patternDefinitions><pattern name="patIpV6Dot"><![CDATA[\d{1,2}:\d{1,2}:\d{1,2}:\d{1,2}:\d{1,2}:\d{1,2}:\d{1,2}:\d{1,2}]]></pattern></patternDefinitions><eventFormatRecognizer><![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+.*ResourceAudit:|UserAudit:]]></eventFormatRecognizer><parsingInstructions><switch><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+<_ptype:gPatStr>:<userId:gPatStr>:<srcIpAddr:patIpV6Dot>\s+<_type:gPatStr><_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="debug">caseIPv6</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+<_ptype:gPatStr>:<userId:gPatStr>:<srcIpAddr:gPatIpAddr>\s+<_type:gPatStr><_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="debug">caseIPV4</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+<_ptype:gPatStr>:<userId:gPatStr>:<srcName:gPatStr>\s+<_type:gPatStr><_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="debug">caseHost</setEventAttribute></case><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostIp:gPatIpAddr>\s+<_ptype:gPatStr>:<_body:gPatMesgBody>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="debug">caseAll</setEventAttribute></case></switch><setEventAttribute attr="eventType">combineMsgId("$_ptype", "_", $_type)</setEventAttribute><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute><setEventAttribute attr="eventAction">0</setEventAttribute><setEventAttribute attr="type">$_ptype</setEventAttribute><setEventAttribute attr="compEventType">$_type</setEventAttribute><setEventAttribute attr="usrMsg">$_body</setEventAttribute><choose><when test="$_ptype =  'ResourceAudit'"><collectAndSetAttrByRegex src="$_body"><regex><![CDATA[<_year:gPatYear>\/<_mon:gPatMon>\/<_day:gPatDay>\s+<_time:gPatTime>\s+<status:gPatStr>\s+<serverName:gPatStr>\s+<targetCustomer:gPatStr>:<accountName:gPatStr>:<distinctUser:gPatStr>:<msg:gPatMesgBody>]]></regex></collectAndSetAttrByRegex><setEventAttribute attr="eventSeverity">1</setEventAttribute></when><when test="$_ptype =  'UserAudit'"><collectAndSetAttrByRegex src="$_body"><regex><![CDATA[<_year:gPatYear>\/<_mon:gPatMon>\/<_day:gPatDay>\s+<_time:gPatTime>\s+<status:gPatStr>\s+<serverName:gPatStr> <targetCustomer:gPatStr>-<distinctUser:gPatStr>:<msg:gPatMesgBody>]]></regex></collectAndSetAttrByRegex><setEventAttribute attr="eventSeverity">1</setEventAttribute></when></choose><choose><when test="$_type = 'File OPen'"><!-- <182>Jan 2 13:13:46 file_smb[2270]: [User:TEK2020+kcanalichio(192.168.216.7)] File Open(Read) /mnt/array1/Applications/ISO --></when></choose><when test="exist srcName"><setEventAttribute attr="hostName">$srcName</setEventAttribute></when></parsingInstructions>

 

593
0 Kudos
adem_netsys
Contributor
In response to kcanalichio

Created on ‎07-10-2024 05:25 AM

When I try useraudit and resourceaudit logs, I get an error in 29 line 38 column.

591
0 Kudos
kcanalichio
New Contributor III
In response to adem_netsys

Created on ‎07-10-2024 07:00 AM

The error was probably caused by the cutting and pasting  of the parser into web form. I would check line 30 to make sure all of the variable (hostName, srcName, userId)  and pattern definitions exist in the SEIM. And make sure the \s+ are all correct

 

<![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<hostName:gPatStr>\s+<_ptype:gPatStr>:<userId:gPatStr>:<srcName:gPatStr>\s+<_type:gPatStr><_body:gPatMesgBody>]]>

 

 

 

Also your messages are in this format

 

<38>May 31 03:04:18 p-core-pam0 ResourceAudit:System:localhost Password_Verified 2024/05/31 03:04:17 Success p-core-pam0 u-rixrug-rpt0:vapps_nimda2:N/A:Password_not_in_Sync

589
0 Kudos
adem_netsys
Contributor
In response to kcanalichio

Created on ‎07-10-2024 07:19 AM

Yes, I checked the variables and they're all in SIEM. The message is in the format you posted and when I try that I get a test error.

587
0 Kudos
kcanalichio
New Contributor III
In response to adem_netsys

Created on ‎07-10-2024 07:26 AM

Sorry, I currently don't have time to help you debug it. It works fine in my SEIM. You should try removing variables from the regex until it works and then add them back in using the correct syntax that will match the event

586
0 Kudos
adem_netsys
Contributor
In response to adem_netsys

Created on ‎07-10-2024 07:30 AM

This is the parser I have and I parser the name with it, but in useraudit this log is different and therefore it misses the name.

 

 

<patternDefinitions>
<pattern name="patSep"><![CDATA[\s+|\t+]]></pattern>
<pattern name="patUser"><![CDATA[.*?:]]></pattern>
<pattern name="patSentence"><![CDATA[[^ ]*[\s[^ ]*]*]]></pattern>
<pattern name="patReg"><![CDATA[ResourceAudit|UserAudit]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[<:patReg>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex>
<![CDATA[<:gPatSyslogPRI>?<:gPatMon><:patSep><:gPatDay><:patSep><:gPatTime>\s+<:gPatStr>\s+<_body:gPatMesgBody>]]>
</regex>
</collectFieldsByRegex>
<collectFieldsByRegex src="$_body">
<regex>
<![CDATA[<_eventType:patReg>:<user:gPatStrEndColon>:<srcIpAddr:gPatStr><:patSep><action:gPatStr><:patSep><:gPatStr><:patSep><:gPatStr><:patSep><status:gPatStr>]]>
</regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">combineMsgId( $_eventType, "-", $status)</setEventAttribute>
</parsingInstructions>
583
0 Kudos
adem_netsys
Contributor
In response to adem_netsys

Created on ‎07-17-2024 07:14 AM

@kcanalichio 

Which attributes did you create for this?

472
0 Kudos
kcanalichio
New Contributor III
In response to adem_netsys

Created on ‎07-17-2024 07:28 AM

I create so many parser and try to use existing attributes:

but based on the parser these are the attributes that need to exist

hostName
hostIp
eventType
deviceTime
eventAction
type
compEventType
usrMsg
status
serverName
targetCustomer
eventSeverity
distinctUser
msg
accountName
 

 

465
0 Kudos
adem_netsys
Contributor
In response to kcanalichio

Created on ‎07-17-2024 12:52 PM

@kcanalichio 

Thank you for your return, most of these are already available. I just added hostIpAddr instead of hostIp but still no change.

440
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.