Created on 10-14-2024 01:37 AM Edited on 10-14-2024 01:38 AM By Jean-Philippe_P
This article describes how to switch to a custom parser if SyslogNGParser is used for parsing logs or testing sample events.
FortiSIEM 7.x.
SyslogNGParser is the default system parser. It is always the first one and is designed not to be moved. It parses all the matching logs for Generic device types.
If the event format recognizer is unclear, any custom parser will be picked up by SysLogNGParser in UsedParser when testing.
Hence further fine-tuning of <eventFormatRecognizer> is required to ensure that the raw event log is recognized by a custom parser. If parser XML is written well, then ExpectedParser and UsedParser would be the same custom parser upon parser test.
Once the Parser test is a success, check Enable Parser and select Apply in Admin -> Device Support -> Parsers.
If incoming events are still parsed by SyslogNGParser then to bypass SyslogNGParser for any device particularly, it is possible to go to the GUI -> CMDB, select the device, edit it, and select the Parsers tab (Screenshot Below).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.