cancel
Showing results for 
Search instead for 
Did you mean: 

Parser creation

Jump to solution

Hi , in my environment we have large variety of data source many of which are customized and required creation of parser as they are not out of the box supported. While creating the parser i m stuck at matching a random sentence , if any one has also faced this kind of issue please share any resolution for the same.

Secondly what kind of parser technology is used in SIEM , is it java based perl based or something else ??

1 Solution

Accepted Solutions

Re: Parser creation

Jump to solution

Greetings!

If you're able to modify the outbound message from your data source you might look at putting a delimiter around the random sentence, this could be quotation marks or any other character that does not show up within the data that you're trying to match.  After that is completed simply modify your regex to match your delimiter followed by NOT your delimiter followed by your delimiter.  For example, if you do decide to use quotation marks your regex would look like this "([^"]+)"  or if you want the hex equivalent \x22([^\x22]+)\x22

Short of that I think I would need more information about what your messages look like in order to assist further.  So far as I can tell ASP uses a perl engine, but that's a better question for the McAfee ESM developers!

Hope that's helpful.

Best Regards,

Rorik

5 Replies

Re: Parser creation

Jump to solution

Greetings!

If you're able to modify the outbound message from your data source you might look at putting a delimiter around the random sentence, this could be quotation marks or any other character that does not show up within the data that you're trying to match.  After that is completed simply modify your regex to match your delimiter followed by NOT your delimiter followed by your delimiter.  For example, if you do decide to use quotation marks your regex would look like this "([^"]+)"  or if you want the hex equivalent \x22([^\x22]+)\x22

Short of that I think I would need more information about what your messages look like in order to assist further.  So far as I can tell ASP uses a perl engine, but that's a better question for the McAfee ESM developers!

Hope that's helpful.

Best Regards,

Rorik

Re: Parser creation

Jump to solution

You need to use PCRE that is perl based regexes for the parsing.

By the way, could you tell where are you testing your regular expressions before you can deploy those as parsers?

Re: Parser creation

Jump to solution

Hi itzamlan , i am testing the parser on www.RegExr.com. 

Re: Parser creation

Jump to solution

Hi Rorik, i have tried you suggestion and it seems to work in the expected manner. Let me match it with my other logs also.

thanks a ton

Ravi

Re: Parser creation

Jump to solution

Not a problem Ravi!

I enjoy www.RegExr.com but have also found www.Regex101.com to be very helpful as well.

Best Regards,

Rorik

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community