Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎05-15-2024 06:37 AM

Parser Inability to Enable

Hi,

I have installed an agent on my windows 2008 R2 machine and I am getting the logs here but the logs are not parsed because the raw message is split into several parts, to try to fix this I disable the default parser but it does not test and does not produce a positive / negative output. I do not encounter such a problem in my test environment. When I want to validate the rule in the default, it gives an error in the xml, but it was working before, it is not possible to have an error because it is the system parser.Ekran görüntüsü 2024-05-15 163125.png

 

1153
0 Kudos
13 REPLIES 13
cdurkin_FTNT
Staff
Staff

Created on ‎05-15-2024 06:43 AM

Can you show an example "raw message is split into several parts"

Go to analytics where the events are coming in .. and also identify which event parser is being used.

870
0 Kudos
adem_netsys
Contributor
In response to cdurkin_FTNT

Created on ‎05-15-2024 07:25 AM

Hi @cdurkin_FTNT 

The problem here is that it doesn't show which parser it uses, but in my test environment I found that it parses properly when I edit the raw message and remove the spaces.

 

Data><Data Name='AccessList'>%%1538
				%%1541
				%%4417
				%%4418
				%%4420
				%%4423
				%%4424
				</Data><Data Name='AccessReason'>%%1538:	%%1804
				%%1541:	%%1801	D:(A;ID;FA;;;SY)
				%%4417:	%%1801	D:(A;ID;FA;;;SY)
				%%4418:	%%1801	D:(A;ID;FA;;;SY)
				%%4420:	%%1801	D:(A;ID;FA;;;SY)
				%%4423:	%%1801	D:(A;ID;FA;;;SY)
				%%4424:	%%1801	D:(A;ID;FA;;;SY)

 

846
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to adem_netsys

Created on ‎05-15-2024 07:56 AM

Thanks.   

 

Would really need a full csv export of the event .. and FortiSIEM version and agent version.

 

Message me privately if needed.

840
0 Kudos
adem_netsys
Contributor
In response to cdurkin_FTNT

Created on ‎05-15-2024 08:30 AM

Hi @cdurkin_FTNT 

 

The siem we have is 7.1.3, the agent is 7.1.7. I am sorry to say that I cannot export the raw event in any way.

818
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to adem_netsys

Created on ‎05-15-2024 08:36 AM

What is the Windows Event ID?

817
0 Kudos
adem_netsys
Contributor
In response to cdurkin_FTNT

Created on ‎05-15-2024 09:45 AM

EventID>4663
798
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to adem_netsys

Created on ‎05-15-2024 11:16 AM Edited on ‎05-15-2024 11:17 AM

Thanks ...

 

So I think you have incompatibility issue here...

 

Id suggest you create a TAC case for this one.

https://docs.fortinet.com/document/fortisiem/7.1.6/fortisiem-version-compatibility-matrix/615062/for...

 

Running 7.1.3 FortiSIEM, your agent version should be 7.1.3 or Less.

790
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to cdurkin_FTNT

Created on ‎05-15-2024 11:18 AM

I suggest you create a TAC case for this one, if that is not the case.

786
0 Kudos
adem_netsys
Contributor
In response to cdurkin_FTNT

Created on ‎05-17-2024 12:46 AM

Thank you for reply. I'll fix agent version as 7.1.3 or less.it looks like I will open a ticket about the test.

705
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.