cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
luciangb
Level 9
Report Inappropriate Content
Message 1 of 6
‎07-09-2021 12:30 AM

Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

Hello,

On a SIEM 11.3.2 installation, with the atest hotfix applied, for various Advanced Syslog Parser data sources - McAfee Web Gateway, McAfee NSM - certain fields - such as URL, Filename, User_Agent, Category - are either empty (not populated) or contain only the first two characters from the string which should have populated them as resulted from the parsing of the raw packet content which was received from the data source.
When checking the operation of the respective parsing rules in the Policy Editor, by entering the content of one random raw packet as sample, I may see that the parsing rules are working correctly and the assigned database fields should get populated accordingly.

I have tried applying the solutions mentioned in KB89475, KB82114, KB94565 but the behaviour has not changed.

Does anyone have any ideea what else could be tried here ?

Thank you,

Lucian

0 Kudos
Reply
1 Solution

Accepted Solutions
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6
‎07-13-2021 05:43 AM

Re: Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

Please raise a case with Support.  These are Random String fields which means the data is stored in the StaticStrings blob of the event and/or alert table.  Either the event table on your receiver or the alert table on your ESM has become corrupted.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

0 Kudos
Reply
5 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6
‎07-13-2021 05:43 AM

Re: Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

Please raise a case with Support.  These are Random String fields which means the data is stored in the StaticStrings blob of the event and/or alert table.  Either the event table on your receiver or the alert table on your ESM has become corrupted.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
luciangb
Level 9
Report Inappropriate Content
Message 3 of 6
‎07-13-2021 09:28 AM

Re: Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

Thank you, your reply has put me on the right track !

Best regards,

Lucian

0 Kudos
Reply
zeromahesh
Level 8
Report Inappropriate Content
Message 4 of 6
‎08-05-2021 10:59 AM

Re: Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

Hi All,

 

I have recorded a comprehensive demo of creating a custom parser in step by step manner. Please check below.

https://www.youtube.com/watch?v=ue545ML9U34&t=1450s

Reply
luciangb
Level 9
Report Inappropriate Content
Message 5 of 6
‎08-09-2021 01:13 AM

Re: Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

Hi Zeromahesh,

Thank you for sharing this video, very instructive !

As far as the original issue in this post is concerned - the root cause was a deep corruption of the tables which needed an unconditional full rebuild - data and indexes - to be performed.

Best regards !

0 Kudos
Reply
zeromahesh
Level 8
Report Inappropriate Content
Message 6 of 6
‎08-09-2021 02:37 AM

Re: Certain custom fields are empty or truncated although parsing rules are working

Jump to solution

HI luciangb

Thank you for your valuable feedback.

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC