FortiSIEM Discussions
CarlosMaldonado
New Contributor

Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
5 REPLIES 5
KarnGriffen
New Contributor III

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">-------------------------------------------
Original Message:
Sent: Jul 02, 2021 12:39 PM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
CarlosMaldonado

Greetings,

That's how it is. I measured it for testing.

I have been testing the parser but with the default configuration it throws an error.

Below I attach the default configuration:

9f5e10b5bac94539909f515b283f0492.png9f5e10b5bac94539909f515b283f0492.png
when reforming the code, it throws the error indicated above.-------------------------------------------
Original Message:
Sent: Jul 08, 2021 04:19 PM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Original Message:
Sent: Jul 02, 2021 12:39 PM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
KarnGriffen

Carlos,

I don't understand what you mean by "That's how it is. I measured it for testing."  The original parser and your parser are different on that line.  The original is sep=" and yours is sep=" ".  I suspect there is an issue with the interpretation of the new " you have added.  Can you post a sample of the log you are working with?  Also in the screenshot above, can you post it not showing the error box?  I'd like to see the color coding there to see if the line is formatted correctly.

Thanks,

Karn-------------------------------------------
Original Message:
Sent: Jul 19, 2021 09:08 AM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings,

That's how it is. I measured it for testing.

I have been testing the parser but with the default configuration it throws an error.

Below I attach the default configuration:

9f5e10b5bac94539909f515b283f0492.png9f5e10b5bac94539909f515b283f0492.png
when reforming the code, it throws the error indicated above.
Original Message:
Sent: Jul 08, 2021 04:19 PM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Original Message:
Sent: Jul 02, 2021 12:39 PM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
KarnGriffen

Carlos,

I think I see what you mean. Try this:

Clone the original.  Add the change so it reads:
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Highlight all the text and perform a Ctrl-C to copy it.  Then hit "Clear XML". Ctrl-V paste the copied text back into the screen.  Hit Reformat.  Hit Validate. 

I was able to get the cloned parser to Validate that way:

sPPEh0voS5GEamPbVdV3_Screen Shot 2021-07-19 at 9.50.33 AM.pngsPPEh0voS5GEamPbVdV3_Screen Shot 2021-07-19 at 9.50.33 AM.png

-------------------------------------------
Original Message:
Sent: Jul 19, 2021 09:08 AM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings,

That's how it is. I measured it for testing.

I have been testing the parser but with the default configuration it throws an error.

Below I attach the default configuration:

9f5e10b5bac94539909f515b283f0492.png9f5e10b5bac94539909f515b283f0492.png
when reforming the code, it throws the error indicated above.
Original Message:
Sent: Jul 08, 2021 04:19 PM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Original Message:
Sent: Jul 02, 2021 12:39 PM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
CarlosMaldonado

Hello excellent.

Thank you very much, there is just the solution. It already allows me to validate and save.

Problem solved.-------------------------------------------
Original Message:
Sent: Jul 19, 2021 09:53 AM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML

Carlos,

I think I see what you mean. Try this:

Clone the original.  Add the change so it reads:
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Highlight all the text and perform a Ctrl-C to copy it.  Then hit "Clear XML". Ctrl-V paste the copied text back into the screen.  Hit Reformat.  Hit Validate. 

I was able to get the cloned parser to Validate that way:

sPPEh0voS5GEamPbVdV3_Screen Shot 2021-07-19 at 9.50.33 AM.pngsPPEh0voS5GEamPbVdV3_Screen Shot 2021-07-19 at 9.50.33 AM.png


Original Message:
Sent: Jul 19, 2021 09:08 AM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings,

That's how it is. I measured it for testing.

I have been testing the parser but with the default configuration it throws an error.

Below I attach the default configuration:

9f5e10b5bac94539909f515b283f0492.png9f5e10b5bac94539909f515b283f0492.png
when reforming the code, it throws the error indicated above.
Original Message:
Sent: Jul 08, 2021 04:19 PM
From: Karn Griffen
Subject: Problem Using Mcafee Parser XML

Carlos,

The original parser has this line:

<collectAndSetAttrByKeyValuePair sep=" src="$_body">

Your has:

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
Original Message:
Sent: Jul 02, 2021 12:39 PM
From: Carlos Maldonado
Subject: Problem Using Mcafee Parser XML

Greetings community.

Someone had an error modifying the McafeeXMLParser parser.

I have been doing several tests but it always gives me the error of:

Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


######################​
<patternDefinitions>
<pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
<setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
<collectAndSetAttrByKeyValuePair sep=" " src="$_body">
<attrKeyMap attr="machineGUID" key="1"/>
<attrKeyMap attr="version" key="2"/>
<attrKeyMap attr="_id" key="3"/>
<attrKeyMap attr="hostIpAddr" key="4"/>
<attrKeyMap attr="hostName" key="5"/>
<attrKeyMap attr="hostMACAddr" key="6"/>
<attrKeyMap attr="osName" key="7"/>
<attrKeyMap attr="user" key="8"/>
</collectAndSetAttrByKeyValuePair>
<when test="exist _id">
<setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
</when>
</parsingInstructions>

######################

as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

Did someone go through the same thing?
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"