This article describes an issue where certain parsers cannot be enabled in FortiSIEM because the parser test fails with errors.
When testing the events, the system may incorrectly invoke a different parser. This typically occurs due to overlaps in raw event log patterns that cause multiple parsers to match.
As a result, the test may fail, preventing the correct parser from being enabled.
Scope
FortiSIEM v7.x+.
Solution
Identify the Failing Parser Test:
Navigate to Admin -> Device Supprot -> Parsers -> Select the Parser -> Validate -> Test.
Observe which events fail.
In the 'Used Parser' column, check if the system is incorrectly selecting another parser instead of the expected parser.
Disable the Conflicting Parser:
Locate the conflicting parser that is being triggered incorrectly.
Temporarily disable this parser.
Re-run the Parser Test:
Re-test the intended parser.
Verify that the events now pass with the correct parser.
Confirm Event Parsing:
Ensure that the raw events are parsed correctly and attributes such as Event Severity, Event ID, and Event Category are mapped as expected in the Analytics tab.
(Optional) Re-enable the Disabled Parser
If necessary, re-enable the previously disabled parser after confirming the correct parser is functioning.
Monitor to ensure no conflicts occur in live parsing.
Important Note:
Troubleshooting and the creation of custom parsers are generally the customer's responsibility and may require assistance from Fortinet Professional Services.
However, since this issue is related to the operational behavior of FortiSIEM, this article is provided for guidance.
