Who Me Too'd this topic

cancel
Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

ASP Rule not triggering

The datasource is a Fortinanalyzer which is bringing us an Application Control event, below i detail the package of the event that we use as an example:

<190> date = 2018-10-01 time = 15: 19: 23 devname = FW-TRAFSEG-01 devid = FG-5KD3915800565 logid = 1059028704 type = utm subtype = app-ctrl eventtype = app-ctrl-all level = information vd = "REF1007585" appid = 15895 user = "I_CORTE" srcip = xxx.xxx.xxx.xxx srcport = 40970 srcintf = "vl2191in" dstip = xx.xxx.xxx.xxxdstport = 443 dstintf = "vl2190out" proto = 6 service = "HTTPS" policyid = 84 sessionid = 2642409682 applist = "Block_app_redes_sociales" appcat = "Network.Service" app = "SSL" action = pass msg = "Network.Service: SSL," apprisk = elevated

Based on this package I generated a parsing rule with the following regular expression:

 date = (\ S *). + time = (\ S *). + logid = (\ S *). + subtype = (app-ctrl). + vd = (\ S *). + user = \ "( \ S * | \ S *. \ S *) \ ". + Srcip = (\ S *). + Srcport = (\ S *). + Dstip = (\ S *). + Dstport = (\ S *) . + service = (\ S *). + sessionid = (\ S *). + appcat = \ "(\ S *) \". + app = \ "(\ S *) \". + action = (\ S *). + (Hostname = \ "(\ S *) \". + Url = \ "(\ S *) \". +)? Apprisk = (\ S *)

tried the same with the sample log data which matches the paquet:

InkedRegla de Parseo_LI.jpg

 

I assign the same to the desired datasource and it is under the Signature ID 5000037:

Signature ID.PNG

 

I roll out the policy to the associated datasource and run the task so that it brings me the new events, but the events that should parse under the new ASP rule do not make it, but parse under a Data source rule  under the name APPLICATION-CONTROL:Sin título2.png

I perform a filter with the Sig ID 5000037 of the events of the last 30 minutes (after doing a pull of datasources events) but it does not bring me any events:

 

InkedEvent Sumary_LI.jpg

I understand that these are the steps to generate a new ASP rule, but it is not working: /.

What i´m doing wrong?

Thanks for your time!

 

 

Labels (2)
Tags (1)
Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community