cancel
Showing results for 
Search instead for 
Did you mean: 

Advanced Syslog Parser Mapping

Jump to solution

Hello,

I have created a custom parser to log specific USB connections. 

Parser

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:\S*))\x26.*

 

Sample Log Data

<13>Nov 04 18:01:50 ewks1.test MSWinEventLog 0 System 283306 Thu Oct 31 08:23:22 2019 4230 Unknown N/A N/A Information eng1.ems.monarch None SNARE EVENT: Received a device interface ARRIVAL notification for device: Apricorn Secure Key 3z USB Device (Disk drive)::USBSTOR\DISK&VEN_APRICORN&PROD_SECURE_KEY_3Z&REV_0401\109910002497&0 0l

 

The ID field is the USB's Serial Number. I would like to map the S/N to the USB # on the field assignment. Is this possible?

 

The alternative would be to create a custom parser for each USB using the sample parser below.

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:109910002497)).*

 

Let me know what you guys think.

 

Thanks,

 

Martin

1 Solution

Accepted Solutions

Re: Advanced Syslog Parser Mapping

Jump to solution

The purpose of this parser was to create an alarm that would trigger when an unauthorized USB was connected to our Windows systems.

I decided to use a different approach than what I had planned  

I used the following parser and created a Watchlist with all the Serial Numbers (S/N). 

 

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:\S*))\x26.*

 

I tested the alarm and it was successful

 

Thanks,

3 Replies

Re: Advanced Syslog Parser Mapping

Jump to solution

@mperez2 wrote:

The ID field is the USB's Serial Number. I would like to map the S/N to the USB # on the field assignment. Is this possible?

Could you elaborate on this a little more? I'm not sure what "map the S/N to the USB # on the field assignment" quite does? Are you trying to reference a match in another part of the match or are you pulling from a list of defined IDs or something else? Thanks.

Re: Advanced Syslog Parser Mapping

Jump to solution

The purpose of this parser was to create an alarm that would trigger when an unauthorized USB was connected to our Windows systems.

I decided to use a different approach than what I had planned  

I used the following parser and created a Watchlist with all the Serial Numbers (S/N). 

 

.*(?P<Domain>(?:test)).*(?P<Application>(?:SNARE EVENT))\x3A.(?P<Message>(?:Received a device interface)).(?P<Action>(?:\S*)).notification for device\x3A.(?P<Description>(?:.*))\x28(?P<Type>(?:Disk drive)).*\x5C(?P<ID>(?:\S*))\x26.*

 

I tested the alarm and it was successful

 

Thanks,

Highlighted
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Advanced Syslog Parser Mapping

Jump to solution

Excellent, and exactly the correct approach. Thanks for the update.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community