FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
premchanderr
Staff
Staff
Article Id 349144
Description

 

This article describes how to switch to a custom parser if SyslogNGParser is used for parsing logs or testing sample events. 

 

Scope

 

FortiSIEM 7.x.

 

Solution

 

SyslogNGParser is the default system parser. It is always the first one and is designed not to be moved. It parses all the matching logs for Generic device types.

 

If the event format recognizer is unclear, any custom parser will be picked up by SysLogNGParser in UsedParser when testing.

Hence further fine-tuning of <eventFormatRecognizer> is required to ensure that the raw event log is recognized by a custom parser.  If parser XML is written well, then ExpectedParser and UsedParser would be the same custom parser upon parser test

 

Once the Parser test is a success, check Enable Parser and select Apply in Admin -> Device Support -> Parsers.

 

If incoming events are still parsed by SyslogNGParser then to bypass SyslogNGParser for any device particularly, it is possible to go to the GUI -> CMDB, select the device, edit it, and select the Parsers tab (Screenshot Below).

 

CMDB_Parser.png

 

  1. Choose the parser from Available Parsers.
  2. Select the Arrow '>'.
  3. The selected parser will appear in the Selected Parsers.
  4. Select Save.
  5. Admin -> Device Support -> Parsers and select the Apply button and give it a minute.
  6. Restart the phParser process on the collector/Supervisor.

    killall -9 phParser
                              
  7. Now verify if a custom parser is used in the Event Parser Name field for recent events in Analytics.