Re: CA Signed Certificate process

Rob_SIEM · 10-29-2024

When you see this error, it means that the test log given, we "expected" it to use the parser we are testing, but in fact it did not match this parser, or any other parser. This indicates that the regex does not match the header of this log. I can c...

Rob_SIEM · 10-15-2024

Hi Karl, The attached example parser worked for the full sample log you provided. The important part of this parser is this section: replaceStringByRegex($msg, ":\s*\"\[\\", ":") replaceStringByRegex($msg, "\\\"\]\",", "\",") Remember that each of t...

Rob_SIEM · 10-10-2024

Btw for this, event attributes must be defined in FortiSIEM first. accountId is defined, but it is case sensitive. accountid will result in an error. If you defined a custom FortiSIEM event attribute in FortiSIEM (programmatic name "morphisecAttackM...

Rob_SIEM · 10-10-2024

Correct, the flow is validate -> test -> enable -> Save Then on the parser screen, click the "apply" button to push the parser change out to all collectors to take effect. New events coming in should now match the parser you applied. When you are tes...

Rob_SIEM · 10-10-2024

One additional question. What is the product and log source of these logs? How are these getting shipped into FortiSIEM?

User Statistics

User Activity

Re: Cannot Enable a new parser which passes validation and testing SIEM 7.1.3 GUI Parser window

Re: Seeking some code review on parser xml code, failing testing. FortiSIEM 7.1

Re: Seeking some code review on parser xml code, failing testing. FortiSIEM 7.1

Re: Seeking some code review on parser xml code, failing testing. FortiSIEM 7.1

Re: Seeking some code review on parser xml code, failing testing. FortiSIEM 7.1

Re: CA Signed Certificate process

Re: Seeking some code review on parser xml code, f...

Re: KeyValuePairMultiValue within a JSON type log.

KCS