cancel
Showing results for 
Search instead for 
Did you mean: 
btkarp
Level 9
Report Inappropriate Content
Message 1 of 4

Multiple Line Log Parsing

Jump to solution

I was wondering if anyone had any experience in building a custom parser for a data source that has multiple lines within the raw log?

The data source in question is Oracle ZFS Storage Controllers and so far my information gathering has lead me to two options. Option 1 is attempt to use the agent collector, which I do not believe is compatible or Option 2 change the data format from anything other default so that I can define how many lines the log is? Does anyone have experience doing this? Which format is easiest to change to from default?

Any insight would be most helpful.

Regards.

1 Solution

Accepted Solutions
Highlighted
btkarp
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Multiple Line Log Parsing

Jump to solution

I have actually solved my issue.

When the logs were coming into the SIEM, I was looking at the packet via the "Packet" tab, however, when I switched over to the ELM Archive view of the log, it was one line.

I used the raw log in the ELM Archive view to create my parser and everything is parsing correctly!

Cheers!

View solution in original post

3 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Multiple Line Log Parsing

Jump to solution

Hi btkarp,

if you have the option to set the default log format to syslog than do this. Im almost sure about that it is harder to write a parser for multiline that is to write for a singleline log. Do you have already tried do set one of the standard parser?

btkarp
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Multiple Line Log Parsing

Jump to solution

Xded,

Thank you for your reply. Unfortunately the logs are already coming as Syslog. I have attempted to use both the Unix-Linux parser and Generic ASP data sources and the logs still come in the same, multi-line format. It appears that my only option is to change the format type so I can define how many lines each log is.

I have already attempted to build my own custom parser and the Event Receiver cannot read past the first line. I currently have a ticket open with McAfee to help with a work around, they are just moving at a snails pace, so I figured I would ask the community and see if anyone else had experience with a similar scenario.

Highlighted
btkarp
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Multiple Line Log Parsing

Jump to solution

I have actually solved my issue.

When the logs were coming into the SIEM, I was looking at the packet via the "Packet" tab, however, when I switched over to the ELM Archive view of the log, it was one line.

I used the raw log in the ELM Archive view to create my parser and everything is parsing correctly!

Cheers!

View solution in original post

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community