cancel
Showing results for 
Search instead for 
Did you mean: 
srobison62
Level 8

Custom Parser help

We created a parser for an ESM that is sending correlated events to a syslog forwarder, and then our master ESM is getting those forwarded events.  Currently we are able to parse out the pertinent data, but when you look at the dashboard instead of seeing the event ID like you would normally see, you just see SYSLOG-NG.  The event ID is visible in the log but I cant edit Rule_Message in the Field Assignment.  Has anyone worked with anything like this before?

0 Kudos
10 Replies
McAfee Employee

Re: Custom Parser help

Could you post a screenshot please?

0 Kudos
srobison62
Level 8

Re: Custom Parser help

0 Kudos
McAfee Employee

Re: Custom Parser help

In your parser rule, map the event name to "Signature Description".

0 Kudos
srobison62
Level 8

Re: Custom Parser help

I dont have an option for event name.

0 Kudos
McAfee Employee

Re: Custom Parser help

Could you post an example of what it is that you're trying to parse please?

0 Kudos
srobison62
Level 8

Re: Custom Parser help

you can see in this screenshot we have parsed out the Signature ID, what I would like to do is have that field listed as the Events Rule Name instead of Syslog_NG_ESM

0 Kudos
McAfee Employee

Re: Custom Parser help

Personally I would rather have the text in "Message_Text". In your parsing rule, map the text to "Signature Description" instead of "Client_Signature".

You can make the mapping that includes both like this:

1:2+" "+1:4

That will list the text from fields 1:2 and 1:4 with a space between them.

srobison62
Level 8

Re: Custom Parser help

Either one would be great I just am not sure what to map it to to make it show up.

0 Kudos
McAfee Employee

Re: Custom Parser help

This one:

sig-desc.PNG

0 Kudos