cancel
Showing results for 
Search instead for 
Did you mean: 

Help adding an ASP rule to an existing data source

Jump to solution

Please excuse me, this is my first post and I'm an ESM n00b. I'll do my best to supply all the information that's required. In a nutshell (for some rules), There is more information in the syslog packet then ESM is parsing for the Symantec Endpoint Protection data source. I feel I could do a better job parsing this syslog then what I'm currently seeing. I've embarked down the path of creating my first ASP rule. I've tested it under it's own datasource, but when I try to add the rule to an existing datasource.. I don't get events.

Perhaps it's a policy thing? I'm not confident on policy settings. I appreciate any help!

EXAMPLE LOG:

log.PNG

    The Current rule (Virus found) does not parse - Actual Action: Cleaned by deletion

MY RULE:

General.PNG

parsing.PNG

FieldAssi.PNG

DEFAULT POLICY >>

DefaultPolicy.PNG

DEFAULT POLICY >> SEP POLICY >>

DefaultSEP.PNG

DEFAULT POLICY >> SEP POLICY >> DEVICE

DevicePOlicy.PNG

Q1) Do I need to go to "operations>>rollout" while on DEFAULT POLICY, and on DEFAULT POLICY >> SEP POLICY, and on DEFAULT POLICY >> SEP POLICY >> DEVICE?


I ended up doing this step "operations>>rollout" 3 separate times.


Q2) IF I only want the rule to fire for logs coming from a single device, should the rule be enabled/disabled as follows:

       disabled - DEFAULT POLICY,

       disabled - DEFAULT POLICY >> SEP POLICY,

       enabled - DEFAULT POLICY >> SEP POLICY >> DEVICE.



I created the following file, and uploaded it to the device (SWMN00XB08074 SEP) datasource, I went to "GET EVENTS" and then refreshed the default Summary view, and the event's didn't appear.

logs.PNG


I then created a Dummy datasource called (DummyTestParser). I placed the device into DEFAULT POLICY >> SEP POLICY

dummy.PNG

I then uploaded this to (DummyTestParser) datasource. I went to "GET EVENTS" and then refreshed, and the test event's appeared.

Parsed.png

Q3) Why can I not get the rule to fire for device (SWMN00XB08074 SEP) datasource?

1 Solution

Accepted Solutions

Re: Help adding an ASP rule to an existing data source

Jump to solution

Hi nitron00b,

Remove the "String Match" value "virus.found" and untick "only  Use RegEx for parsing only".

I'm not sure whether the "String Match" will support regex like in your example for "virus.found" so just try without it.

Everything else seems perfect.

Anyway let's see what the rest of the guys will say as i've never used string match

P.S: from what i see you are up to speed already

2 Replies

Re: Help adding an ASP rule to an existing data source

Jump to solution

Hi nitron00b,

Remove the "String Match" value "virus.found" and untick "only  Use RegEx for parsing only".

I'm not sure whether the "String Match" will support regex like in your example for "virus.found" so just try without it.

Everything else seems perfect.

Anyway let's see what the rest of the guys will say as i've never used string match

P.S: from what i see you are up to speed already

jal
Level 9
Report Inappropriate Content
Message 3 of 3

Re: Help adding an ASP rule to an existing data source

Jump to solution

@alexander_h

I concur, String match is a fixed String, not a regexp.

PS: Don't forget to share your rule in