elsa icon indicating copy to clipboard operation
elsa copied to clipboard
verified publisher icon mcholste

adding new parser - so close - no cigar

Open andycapp opened this issue 10 years ago • 1 comments

I cant figure out where I am going wrong.

I have built the following pattern:

<ruleset name="FORTINET_FSSO" id='21000'> <pattern>fortinet</pattern> <rules> <rule provider="ADMIN" class='21000' id='21000'> <patterns> <pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=event subtype=user level=notice vd=@ESTRING:: @logdesc="FSSO logon authentication status" srcip=@IPv4:i0:@ user=@QSTRING:s0:"@ server=@QSTRING:s1:"@@ANYSTRING::@</pattern> </patterns> <examples> <example> <test_message program="fortinet">date=2015-12-15 time=13:41:16 devname=FG300C391xxxxxxx devid=FG300C391xxxxxxxx logid=0102043014 type=event subtype=user level=notice vd="DMZ1" logdesc="FSSO logon authentication status" srcip=x.x.x.x user="USERNAME" server="SERVERNAME" action=FSSO-logon msg="FSSO-logon event from SERVERNAME: user USERNAME logged on x.x.x.x"</test_message> <test_values> <test_value name="i0">x.x.x.x</test_value> <test_value name="s0">USERNAME</test_value> <test_value name="s1">SERVERNAME</test_value> </test_values> </example> </examples> </rule> </rules> </ruleset> Which I have merged using pdbtool after successfully testing it.

I have added the following class and fields_classes_map entries to the db.. (fields were pre-existing) ' +-------+---------------+-----------+ | id | class | parent_id | +-------+---------------+-----------+ | 21000 | FORTINET_FSSO | 0 | +-------+---------------+-----------+

+----------+----------+-------------+ | field_id | class_id | field_order | +----------+----------+-------------+ | 15 | 21000 | 5 | | 26 | 21000 | 6 | | 45 | 21000 | 7 | +----------+----------+-------------+ ` and restarted syslog-ng....

The logs are being classified properly - showing up as class=FORTINET_FSSO but the srcip is being parsed as 0.0.67.64, user as 0 and device as 0 (consistently)...

I've got to be missing/misunderstanding something simple?

andycapp avatar Dec 16 '15 18:12 andycapp

Does this help at all?:

https://github.com/Security-Onion-Solutions/security-onion/wiki/CustomELSAParsers

Did you test the new parser pattern with the pdbtool test command ? Did you ever get this working?

NoX1De avatar Aug 03 '16 22:08 NoX1De