ShareTec Firewall parser edit

JordanHsu · ‎02-24-2025

Hello Sirs,

I am a noob as FortiSIEM. Recently I have received a firewall from Taiwan that call ShareTec, INF-8600

That's the firewall log flow as below.

Also i try to writed alot time with AI such as below,

<DOCUMENT>
<eventFormatRecognizer><![CDATA[^([^\t]+)\s+([^\t]+\s+[^\t]+\s+[^\t]+)\s+([^\t]+)\s+([^\t]+)\s+([^\t]+)\s+CEF:.*]]></eventFormatRecognizer>
<parsingInstructions>

<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[^(\S+)\s+([A-Za-z]+\s+\d+\s+\d+:\d+:\d+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)]]></regex>
<mapping>
<map name="deviceAddress" value="$1"/>
<map name="timestamp" value="$2"/>
<map name="hostname" value="$3"/>
<map name="program" value="$4"/>
<map name="severity" value="$5"/>
<map name="facility" value="$6"/>
</mapping>
</collectFieldsByRegex>

<setEventAttribute attr="rawCEF">
<regexExtract src="$_rawmsg">
<regex>CEF:(.+)$</regex>
<group>1</group>
</regexExtract>
</setEventAttribute>
<collectFieldsByRegex src="$rawCEF">
<regex><![CDATA[^0\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|([^|]*)\|(.*)]]></regex>
<mapping>
<map name="deviceVendor" value="$1"/>
<map name="deviceProduct" value="$2"/>
<map name="deviceVersion" value="$3"/>
<map name="deviceEventClassId" value="$4"/>
<map name="name" value="$5"/>
<map name="severity" value="$6"/>
<map name="extension" value="$7"/>
</mapping>
</collectFieldsByRegex>

<setEventAttribute attr="deviceExternalId">
<regexExtract src="$extension">
<regex>deviceExternalId=([^\s]+)</regex>
<group>1</group>
</regexExtract>
</setEventAttribute>
<setEventAttribute attr="dvchost">
<regexExtract src="$extension">
<regex>dvchost=([^\s]+)</regex>
<group>1</group>
</regexExtract>
</setEventAttribute>
<setEventAttribute attr="eventType">ShareTech_Traffic_Log</setEventAttribute>
</parsingInstructions>
</DOCUMENT>

Everything looked great and I thought we were about to succeed, but then it threw errors during testing. I'm at my wit's end now.

Could the experts/gurus here please help me?

cdurkin_FTNT · ‎02-26-2025

This would be the very basics of a parser to match your log

<eventFormatRecognizer><![CDATA[\s+CEF:\d+\|Sharetech\|INF-8600T\|]]></eventFormatRecognizer>

<parsingInstructions>

<collectFieldsByRegex src="$_rawmsg">
  <regex><![CDATA[<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>.*CEF:\d+\|<_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>

<collectAndSetAttrByPos src="$_body" sep="|">
  <attrPosMap attr="_severity" pos="4"/>
  <attrPosMap attr="_event" pos="5"/>
  <attrPosMap attr="_something" pos="6"/>
  <attrPosMap attr="_body2" pos="7"/>
</collectAndSetAttrByPos>


<collectFieldsByKeyValuePair kvsep="=" sep=" " src="$_body2">
  <attrKeyMap attr="_act" key="act"/>
  <attrKeyMap attr="_cn1" key="cn1"/>
  <attrKeyMap attr="_cn1Label" key="cn1Label"/>
  <attrKeyMap attr="_cs1" key="cs1"/>
  <attrKeyMap attr="_cs1Label" key="cs1Label"/>
  <attrKeyMap attr="_deviceExternalId" key="deviceExternalId"/>
  <attrKeyMap attr="destIpPort" key="dpt"/>
  <attrKeyMap attr="destIpAddr" key="dst"/>
  <attrKeyMap attr="_dvchost" key="dvchost"/>
  <attrKeyMap attr="_end" key="end"/>
  <attrKeyMap attr="recvBytes" key="in"/>
  <attrKeyMap attr="sentBytes" key="out"/>
  <attrKeyMap attr="_proto" key="proto"/>
  <attrKeyMap attr="srcIpPort" key="spt"/>
  <attrKeyMap attr="srcIpAddr" key="src"/>
  <attrKeyMap attr="_start" key="start"/>
</collectFieldsByKeyValuePair>


<when test="exist _proto">
  <setEventAttribute attr="ipProto">convertStrToIntIpProto($_proto)</setEventAttribute>
</when>
 
<setEventAttribute attr="eventType">combineMsgId("Sharetech-", $_event)</setEventAttribute>


</parsingInstructions>

View solution in original post

cdurkin_FTNT · ‎02-26-2025

This would be the very basics of a parser to match your log

<eventFormatRecognizer><![CDATA[\s+CEF:\d+\|Sharetech\|INF-8600T\|]]></eventFormatRecognizer>

<parsingInstructions>

<collectFieldsByRegex src="$_rawmsg">
  <regex><![CDATA[<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>.*CEF:\d+\|<_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>

<collectAndSetAttrByPos src="$_body" sep="|">
  <attrPosMap attr="_severity" pos="4"/>
  <attrPosMap attr="_event" pos="5"/>
  <attrPosMap attr="_something" pos="6"/>
  <attrPosMap attr="_body2" pos="7"/>
</collectAndSetAttrByPos>


<collectFieldsByKeyValuePair kvsep="=" sep=" " src="$_body2">
  <attrKeyMap attr="_act" key="act"/>
  <attrKeyMap attr="_cn1" key="cn1"/>
  <attrKeyMap attr="_cn1Label" key="cn1Label"/>
  <attrKeyMap attr="_cs1" key="cs1"/>
  <attrKeyMap attr="_cs1Label" key="cs1Label"/>
  <attrKeyMap attr="_deviceExternalId" key="deviceExternalId"/>
  <attrKeyMap attr="destIpPort" key="dpt"/>
  <attrKeyMap attr="destIpAddr" key="dst"/>
  <attrKeyMap attr="_dvchost" key="dvchost"/>
  <attrKeyMap attr="_end" key="end"/>
  <attrKeyMap attr="recvBytes" key="in"/>
  <attrKeyMap attr="sentBytes" key="out"/>
  <attrKeyMap attr="_proto" key="proto"/>
  <attrKeyMap attr="srcIpPort" key="spt"/>
  <attrKeyMap attr="srcIpAddr" key="src"/>
  <attrKeyMap attr="_start" key="start"/>
</collectFieldsByKeyValuePair>


<when test="exist _proto">
  <setEventAttribute attr="ipProto">convertStrToIntIpProto($_proto)</setEventAttribute>
</when>
 
<setEventAttribute attr="eventType">combineMsgId("Sharetech-", $_event)</setEventAttribute>


</parsingInstructions>

ShareTec Firewall parser edit

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website