Hi Karl and Team, Just as a heads up, we already have a nice field name
to map for this called "requestType (display name: Request Type)". In
the corrected system parser we will use this attribute if you would like
to update yours to match. Thanks,
When you see this error, it means that the test log given, we "expected"
it to use the parser we are testing, but in fact it did not match this
parser, or any other parser. This indicates that the
regex does not match the header of this log. I
can c...
Hi Karl, The attached example parser worked for the full sample log you
provided. The important part of this parser is this section: replaceStringByRegex($msg, ":\s*\"\[\\",
":") replaceStringByRegex($msg, "\\\"\]\",",
"\",") Remember that each of t...
Btw for this, event attributes must be defined in FortiSIEM first.
accountId is
defined, but it is case sensitive. accountid will result in an error. If
you defined a custom FortiSIEM event attribute in FortiSIEM
(programmatic name "morphisecAttackM...
Correct, the flow is validate -> test -> enable -> Save Then on the
parser screen, click the "apply" button to push the parser change out to
all collectors to take effect. New events coming in should now match the
parser you applied. When you are tes...
