cancel
Showing results for 
Search instead for 
Did you mean: 
raychia
Level 8
Report Inappropriate Content
Message 1 of 14

Custom parser's Device type

Jump to solution

Hi all,

I have created some custom parsers for devices that are not supported by McAfee ESM at the moment.

I would like to do the set the device type for the custom parsers so that when displaying the "Device Type" view, i can see which device type generate the most events.

Currently it only show User Defined 1 which does not classify which is which.

Hope someone that did this before can help.

Thank you

Regards,

Ray

1 Solution

Accepted Solutions
acommons
Level 10
Report Inappropriate Content
Message 9 of 14

Re: Custom parser's Device type

Jump to solution

The only way I've found to do this is to steal an existing device. So....

(1) Create your new device and assign it a vendor and device type which matches your desired device type but which you will not be using (you hope)

(2) Disable all the predefined parser rules

(3) Assign your home-grown parser rules to the high-jacked device.

13 Replies
sssyyy
Level 12
Report Inappropriate Content
Message 2 of 14

Re: Custom parser's Device type

Jump to solution

You have to tag the ASP rules when making them.

raychia
Level 8
Report Inappropriate Content
Message 3 of 14

Re: Custom parser's Device type

Jump to solution

did u mean the tags in the custom parser?

i have assigned the custom tag in the parser's Tag field.

If possible, can you give some screenshots for the tag you are saying?

Re: Custom parser's Device type

Jump to solution

Hi Ray

I think i can help you out with custom parser if you can explain a little bit more about your problem. As there are sub-parts

1. General

2. Parsing

3. Field Assingment

4. Mapping

and none of them has any field which says device type.

If you are talking about adding the data source then in the data source vendor select generic and data source vendor will automatically be selected as ASP.

in case u need help u can PM me.

Regards

Ravi

raychia
Level 8
Report Inappropriate Content
Message 5 of 14

Re: Custom parser's Device type

Jump to solution

Hi Ravi,

I have already done the custom parser. i was asking about how to change the device type as when i set to generic syslog parser, it will show User Defined 1 as the device type in the views.

Regards,

Ray

Re: Custom parser's Device type

Jump to solution

Hey Ray

I looked in depth into the box but could not find ny such option, only in case of custom parser is where you can give tags but none while adding a data source.

Ravi

raychia
Level 8
Report Inappropriate Content
Message 7 of 14

Re: Custom parser's Device type

Jump to solution

Hi Ravi,

I tried looking in-dept in the ASP rule and i noticed that the ADSID defined the device type of the parser.

Still cant find a way to add new ADSID, so i am still stuck with the User Defined 1 ADSID in the parser.

Tags does not defined the device type, Rule Assignment however able to define the device type as well aside from the ADSID in the ASP rule.

Thank you

Ray

raychia
Level 8
Report Inappropriate Content
Message 8 of 14

Re: Custom parser's Device type

Jump to solution

Has anyone tried to add a custom Device Type ID?

I can't find any in the variable page to add in a custom Device Type ID.

Still trying to find the database that store the Device Type ID to add in new custom devices

acommons
Level 10
Report Inappropriate Content
Message 9 of 14

Re: Custom parser's Device type

Jump to solution

The only way I've found to do this is to steal an existing device. So....

(1) Create your new device and assign it a vendor and device type which matches your desired device type but which you will not be using (you hope)

(2) Disable all the predefined parser rules

(3) Assign your home-grown parser rules to the high-jacked device.

Re: Custom parser's Device type

Jump to solution

Looks like this is the only way to do the device type name if the data source is not supported.

Thanks for the help