Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 8
Report Inappropriate Content
Message 1 of 2

How to relate ASP rule with Data source

Hello Everyone

I have the following situation, I have integrated SIEM with a Ironmail and i received the event "SMTPO Service".


I like to change the parsing for this event in order to identify a field, but i can't find the ASP Rule tha generate this particular Data source

This is the Data Source


But i don't know which Advanced Syslog Parser rule generates the Data Source


In other cases it is easy because the parse rule have the same name that the data source, but in this case i don't have a clue how to relate one another.

Thanks for the help.

1 Reply
Level 9
Report Inappropriate Content
Message 2 of 2

Re: How to relate ASP rule with Data source

Hi Layer0Ironmail_legacy_parser_.PNG

Under the Advanced Syslog Parser - filter for the Iron Mail Legcy Parser.

You can copy the packet data and run it through one of the parsers availible to see if it is being parsed out. Or copy one of them and modify it to your requirement to have the data parsed out.

Hope this helps.



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community