Hello excellent.
Thank you very much, there is just the solution. It already allows me to validate and save.
Problem solved.-------------------------------------------
Original Message:
Sent: Jul 19, 2021 09:53 AM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML
Carlos,
I think I see what you mean. Try this:
Clone the original. Add the change so it reads:
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Highlight all the text and perform a Ctrl-C to copy it. Then hit "Clear XML". Ctrl-V paste the copied text back into the screen. Hit Reformat. Hit Validate.
I was able to get the cloned parser to Validate that way:
Original Message:
Sent: Jul 19, 2021 09:08 AM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML
Greetings,
That's how it is. I measured it for testing.
I have been testing the parser but with the default configuration it throws an error.
Below I attach the default configuration:
9f5e10b5bac94539909f515b283f0492.pngwhen reforming the code, it throws the error indicated above.
Original Message:
Sent: Jul 08, 2021 04:19 PM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML
Carlos,
The original parser has this line:
<collectAndSetAttrByKeyValuePair sep=" src="$_body">
Your has:
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">Original Message:
Sent: Jul 02, 2021 12:39 PM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML
Greetings community.
Someone had an error modifying the McafeeXMLParser parser.
I have been doing several tests but it always gives me the error of:
Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.
######################
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body"><attrKeyMap attr="machineGUID" key="1"/><attrKeyMap attr="version" key="2"/><attrKeyMap attr="_id" key="3"/><attrKeyMap attr="hostIpAddr" key="4"/><attrKeyMap attr="hostName" key="5"/><attrKeyMap attr="hostMACAddr" key="6"/><attrKeyMap attr="osName" key="7"/><attrKeyMap attr="user" key="8"/></collectAndSetAttrByKeyValuePair><when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>
######################
as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.
Did someone go through the same thing?