2 Replies Latest reply on Jun 4, 2014 2:46 PM by rcavey

    Custom Parser Settings

    pfabrizi

      I created a custom parser for "IP Packet Access denied" to include source Interface and destination interface. I am unable to get these added to the Advanced details tab. Can someone tell me if it is possible to do this and if so which attributes represent these values?

       

       

      Thanks!

        • 1. Re: Custom Parser Settings
          artek

          Could you show us some images from parser\policy configuration to explain your problem?

          Regards,

          Artek

          • 2. Re: Custom Parser Settings
            rcavey

            Ask support for a document titled "How to write a McAfee ESM Custom Parser and troubleshoot a data source.pdf" and see if that helps.

             

            Another option:

            I don't know if either "interface" is a defined Type or not ( not near an ESM ) but if it is not you'll need to crate a "Custom Type" ESM Properties --> Custom Types.  Then in your parser rules you should be able to regex match and map to those values to the proper field.  Although, not sure if that will/can be included in Advance details but it will definitely show up in the Custom Types tab in the event details which you can then trigger/correlate based on those matches.

             

            Cheers.