FortiSIEM Discussions
adem_netsys
Contributor

Parser Inability to Enable

Hi,

I have installed an agent on my windows 2008 R2 machine and I am getting the logs here but the logs are not parsed because the raw message is split into several parts, to try to fix this I disable the default parser but it does not test and does not produce a positive / negative output. I do not encounter such a problem in my test environment. When I want to validate the rule in the default, it gives an error in the xml, but it was working before, it is not possible to have an error because it is the system parser.Ekran görüntüsü 2024-05-15 163125.png

 

13 REPLIES 13
cdurkin_FTNT
Staff
Staff

Can you show an example "raw message is split into several parts"

Go to analytics where the events are coming in .. and also identify which event parser is being used.

adem_netsys

Hi @cdurkin_FTNT 

The problem here is that it doesn't show which parser it uses, but in my test environment I found that it parses properly when I edit the raw message and remove the spaces.

 

Data><Data Name='AccessList'>%%1538
				%%1541
				%%4417
				%%4418
				%%4420
				%%4423
				%%4424
				</Data><Data Name='AccessReason'>%%1538:	%%1804
				%%1541:	%%1801	D:(A;ID;FA;;;SY)
				%%4417:	%%1801	D:(A;ID;FA;;;SY)
				%%4418:	%%1801	D:(A;ID;FA;;;SY)
				%%4420:	%%1801	D:(A;ID;FA;;;SY)
				%%4423:	%%1801	D:(A;ID;FA;;;SY)
				%%4424:	%%1801	D:(A;ID;FA;;;SY)

 

cdurkin_FTNT

Thanks.   

 

Would really need a full csv export of the event .. and FortiSIEM version and agent version.

 

Message me privately if needed.

adem_netsys

Hi @cdurkin_FTNT 

 

The siem we have is 7.1.3, the agent is 7.1.7. I am sorry to say that I cannot export the raw event in any way.

cdurkin_FTNT

What is the Windows Event ID?

adem_netsys

EventID>4663
cdurkin_FTNT

Thanks ...

 

So I think you have incompatibility issue here...

 

Id suggest you create a TAC case for this one.

https://docs.fortinet.com/document/fortisiem/7.1.6/fortisiem-version-compatibility-matrix/615062/for...

 

Running 7.1.3 FortiSIEM, your agent version should be 7.1.3 or Less.

cdurkin_FTNT

I suggest you create a TAC case for this one, if that is not the case.

adem_netsys

Thank you for reply. I'll fix agent version as 7.1.3 or less.it looks like I will open a ticket about the test.

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"