Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Priyank
New Contributor

FortiSIEM XML Parser

Hi All,

 

I'm using FortiSIEM 5.2.6 and having issues with the XML parser in parsing TrendMicro Deep Security logs.

 

I'm getting below error when I test the parser

 

Line No 6 Column No 38 Failed to execute node: collectFieldsByRegex. Please check the usage of API and attribute name.

 

I'm trying to fix the error but not sure where to make the changes. Below is the parser that I'm using:

 

<patternDefinitions>

<pattern name="patTMRole"><![CDATA[Control Manager|Deep Security Agent|Deep Security Manager]]></pattern>

</patternDefinitions>

<eventFormatRecognizer><![CDATA[\s+CEF:\d+\|Trend Micro\|<:patTMRole>\|]]></eventFormatRecognizer>

<parsingInstructions>

<collectFieldsByRegex src="$_rawmsg">

<regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+(?:<_year:gPatYear>\s+)?<_time:gPatTime>\s+<:gPatHostName>\s+CEF:\d+\|Trend Micro\|<_role:patTMRole>\|<_body:gPatMesgBody>]]></regex>

</collectFieldsByRegex>

<collectAndSetAttrByPos sep="|" src="$_body">

<attrPosMap attr="_version" pos="1"/>

<attrPosMap attr="_sigId" pos="2"/>

<attrPosMap attr="_name" pos="3"/>

<attrPosMap attr="eventSeverity" pos="4"/>

<attrPosMap attr="_body" pos="5"/>

</collectAndSetAttrByPos>

<choose>

<when test="exist _year">

<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute>

</when>

<otherwise>

<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>

</otherwise>

</choose>

<setEventAttribute attr="_name">replaceStringByRegex($_name, "\s+\(CVE-[^)]*\)", "")</setEventAttribute>

<setEventAttribute attr="_name">replaceStringByRegex($_name, "\s", "_")</setEventAttribute>

<choose>

<when test="$_role = 'Deep Security Manager'">

<setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurity-", $_name, "-", $_sigId)</setEventAttribute>

</when>

<when test="$_role = 'Deep Security Agent'">

<setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurityAgent-", $_name, "-", $_sigId)</setEventAttribute>

</when>

<when test="$_role = 'Control Manager'">

<setEventAttribute attr="eventType">combineMsgId("Trend-ControlManager-", $_name, "-", $_sigId)</setEventAttribute>

</when>

<otherwise>

<setEventAttribute attr="_role">replaceStringByRegex($_role, "\s+", "")</setEventAttribute>

<setEventAttribute attr="eventType">combineMsgId("Trend-", $_role, "-", $_name, "-", $_sigId)</setEventAttribute>

</otherwise>

</choose>

<when test='$eventSeverity = "0"'>

<setEventAttribute attr="eventSeverity">1</setEventAttribute>

</when>

<collectAndSetAttrByKeyValuePair sep=" " src="$_body">

<attrKeyMap attr="appTransportProto" key="app="/>

<attrKeyMap attr="destIpAddr" key="dst="/>

<attrKeyMap attr="destName" key="dhost="/>

<attrKeyMap attr="destMACAddr" key="dmac="/>

<attrKeyMap attr="destDomain" key="dntdom="/>

<attrKeyMap attr="destIpPort" key="dpt="/>

<attrKeyMap attr="targetUser" key="duser="/>

<attrKeyMap attr="reptDevName" key="dvchost="/>

<attrKeyMap attr="fileName" key="fname="/>

<attrKeyMap attr="recvBytes" key="in="/>

<attrKeyMap attr="sentBytes" key="out="/>

<attrKeyMap attr="srcIpAddr" key="src="/>

<attrKeyMap attr="srcName" key="shost="/>

<attrKeyMap attr="srcMACAddr" key="smac="/>

<attrKeyMap attr="srcDomain" key="sntdom="/>

<attrKeyMap attr="srcIpPort" key="spt="/>

<attrKeyMap attr="srcUser" key="suser="/>

<attrKeyMap attr="user" key="suser="/>

<attrKeyMap attr="startTime" key="start="/>

<attrKeyMap attr="ipProto" key="proto="/>

<attrKeyMap attr="count" key="cnt1="/>

<attrKeyMap attr="tcpFlags" key="cs2="/>

<attrKeyMap attr="dataPayload" key="TrendMicroDsPacketData="/>

</collectAndSetAttrByKeyValuePair>

<switch>

<case>

<collectFieldsByRegex src="$_rawmsg">

<regex><![CDATA[ msg=<msg:gPatMesgBody>]]></regex>

</collectFieldsByRegex>

</case>

<default/>

</switch>

</parsingInstructions>

 

Log that I'm trying to Parse:

<46>2021-08-12T22:38:27+02:00 VMPPTTDS CEF:0|Trend Micro|Deep Security Manager|20.0.366|1533|A computer reboot is required to complete an Anti-Malware cleanup or restoration task|3|src=10.1.1.12 suser=System target=TestMachine msg=The Anti-Malware engine requires that the computer be rebooted to complete a cleanup or restoration task. TrendMicroDsTenant=Primary TrendMicroDsTenantId=0

 

Your suggestions and help would be appreciated.

 

Thank you

<patternDefinitions><pattern name="patTMRole"><![CDATA[Control Manager|Deep Security Agent|Deep Security Manager]]></pattern></patternDefinitions><eventFormatRecognizer><![CDATA[\s+CEF:\d+\|Trend Micro\|<:patTMRole>\|]]></eventFormatRecognizer><parsingInstructions><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+(?:<_year:gPatYear>\s+)?<_time:gPatTime>\s+<:gPatHostName>\s+CEF:\d+\|Trend Micro\|<_role:patTMRole>\|<_body:gPatMesgBody>]]></regex></collectFieldsByRegex><collectAndSetAttrByPos sep="|" src="$_body"><attrPosMap attr="_version" pos="1"/><attrPosMap attr="_sigId" pos="2"/><attrPosMap attr="_name" pos="3"/><attrPosMap attr="eventSeverity" pos="4"/><attrPosMap attr="_body" pos="5"/></collectAndSetAttrByPos><choose><when test="exist _year"><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute></when><otherwise><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute></otherwise></choose><setEventAttribute attr="_name">replaceStringByRegex($_name, "\s+\(CVE-[^)]*\)", "")</setEventAttribute><setEventAttribute attr="_name">replaceStringByRegex($_name, "\s", "_")</setEventAttribute><choose><when test="$_role = 'Deep Security Manager'"><setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurity-", $_name, "-", $_sigId)</setEventAttribute></when><when test="$_role = 'Deep Security Agent'"><setEventAttribute attr="eventType">combineMsgId("Trend-DeepSecurityAgent-", $_name, "-", $_sigId)</setEventAttribute></when><when test="$_role = 'Control Manager'"><setEventAttribute attr="eventType">combineMsgId("Trend-ControlManager-", $_name, "-", $_sigId)</setEventAttribute></when><otherwise><setEventAttribute attr="_role">replaceStringByRegex($_role, "\s+", "")</setEventAttribute><setEventAttribute attr="eventType">combineMsgId("Trend-", $_role, "-", $_name, "-", $_sigId)</setEventAttribute></otherwise></choose><when test='$eventSeverity = "0"'><setEventAttribute attr="eventSeverity">1</setEventAttribute></when><collectAndSetAttrByKeyValuePair sep=" " src="$_body"><attrKeyMap attr="appTransportProto" key="app="/><attrKeyMap attr="destIpAddr" key="dst="/><attrKeyMap attr="destName" key="dhost="/><attrKeyMap attr="destMACAddr" key="dmac="/><attrKeyMap attr="destDomain" key="dntdom="/><attrKeyMap attr="destIpPort" key="dpt="/><attrKeyMap attr="targetUser" key="duser="/><attrKeyMap attr="reptDevName" key="dvchost="/><attrKeyMap attr="fileName" key="fname="/><attrKeyMap attr="recvBytes" key="in="/><attrKeyMap attr="sentBytes" key="out="/><attrKeyMap attr="srcIpAddr" key="src="/><attrKeyMap attr="srcName" key="shost="/><attrKeyMap attr="srcMACAddr" key="smac="/><attrKeyMap attr="srcDomain" key="sntdom="/><attrKeyMap attr="srcIpPort" key="spt="/><attrKeyMap attr="srcUser" key="suser="/><attrKeyMap attr="user" key="suser="/><attrKeyMap attr="startTime" key="start="/><attrKeyMap attr="ipProto" key="proto="/><attrKeyMap attr="count" key="cnt1="/><attrKeyMap attr="tcpFlags" key="cs2="/><attrKeyMap attr="dataPayload" key="TrendMicroDsPacketData="/></collectAndSetAttrByKeyValuePair><switch><case><collectFieldsByRegex src="$_rawmsg"><regex><![CDATA[ msg=<msg:gPatMesgBody>]]></regex></collectFieldsByRegex></case><default/></switch></parsingInstructions>
0 REPLIES 0