cancel
Showing results for 
Search instead for 
Did you mean: 

Advanced Syslog Parser Mapping

Jump to solution

Hello,

I have created a custom parser to log specific USB connections. 

Parser

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:\S*))\x26.*

 

Sample Log Data

<13>Nov 04 18:01:50 ewks1.test MSWinEventLog 0 System 283306 Thu Oct 31 08:23:22 2019 4230 Unknown N/A N/A Information eng1.ems.monarch None SNARE EVENT: Received a device interface ARRIVAL notification for device: Apricorn Secure Key 3z USB Device (Disk drive)::USBSTOR\DISK&VEN_APRICORN&PROD_SECURE_KEY_3Z&REV_0401\109910002497&0 0l

 

The ID field is the USB's Serial Number. I would like to map the S/N to the USB # on the field assignment. Is this possible?

 

The alternative would be to create a custom parser for each USB using the sample parser below.

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:109910002497)).*

 

Let me know what you guys think.

 

Thanks,

 

Martin

1 Solution

Accepted Solutions

Re: Advanced Syslog Parser Mapping

Jump to solution

The purpose of this parser was to create an alarm that would trigger when an unauthorized USB was connected to our Windows systems.

I decided to use a different approach than what I had planned  

I used the following parser and created a Watchlist with all the Serial Numbers (S/N). 

 

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:\S*))\x26.*

 

I tested the alarm and it was successful

 

Thanks,

View solution in original post

3 Replies

Re: Advanced Syslog Parser Mapping

Jump to solution

@mperez2 wrote:

The ID field is the USB's Serial Number. I would like to map the S/N to the USB # on the field assignment. Is this possible?

Could you elaborate on this a little more? I'm not sure what "map the S/N to the USB # on the field assignment" quite does? Are you trying to reference a match in another part of the match or are you pulling from a list of defined IDs or something else? Thanks.

Re: Advanced Syslog Parser Mapping

Jump to solution

The purpose of this parser was to create an alarm that would trigger when an unauthorized USB was connected to our Windows systems.

I decided to use a different approach than what I had planned  

I used the following parser and created a Watchlist with all the Serial Numbers (S/N). 

 

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:\S*))\x26.*

 

I tested the alarm and it was successful

 

Thanks,

View solution in original post

Highlighted
andy777 McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Advanced Syslog Parser Mapping

Jump to solution

Excellent, and exactly the correct approach. Thanks for the update.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community