2 Replies Latest reply on Aug 27, 2014 1:28 PM by jal

    Help adding an ASP rule to an existing data source

    nitron00b

      Please excuse me, this is my first post and I'm an ESM n00b. I'll do my best to supply all the information that's required. In a nutshell (for some rules), There is more information in the syslog packet then ESM is parsing for the Symantec Endpoint Protection data source. I feel I could do a better job parsing this syslog then what I'm currently seeing. I've embarked down the path of creating my first ASP rule. I've tested it under it's own datasource, but when I try to add the rule to an existing datasource.. I don't get events.

       

      Perhaps it's a policy thing? I'm not confident on policy settings. I appreciate any help!

       

       

      EXAMPLE LOG:

      log.PNG

          The Current rule (Virus found) does not parse - Actual Action: Cleaned by deletion

       

      MY RULE:

      General.PNG

      parsing.PNG

      FieldAssi.PNG

       

      DEFAULT POLICY >>

      DefaultPolicy.PNG

      DEFAULT POLICY >> SEP POLICY >>

      DefaultSEP.PNG

      DEFAULT POLICY >> SEP POLICY >> DEVICE

      DevicePOlicy.PNG

      Q1) Do I need to go to "operations>>rollout" while on DEFAULT POLICY, and on DEFAULT POLICY >> SEP POLICY, and on DEFAULT POLICY >> SEP POLICY >> DEVICE?


      I ended up doing this step "operations>>rollout" 3 separate times.


      Q2) IF I only want the rule to fire for logs coming from a single device, should the rule be enabled/disabled as follows:

             disabled - DEFAULT POLICY,

             disabled - DEFAULT POLICY >> SEP POLICY,

             enabled - DEFAULT POLICY >> SEP POLICY >> DEVICE.



      I created the following file, and uploaded it to the device (SWMN00XB08074 SEP) datasource, I went to "GET EVENTS" and then refreshed the default Summary view, and the event's didn't appear.

      logs.PNG


      I then created a Dummy datasource called (DummyTestParser). I placed the device into DEFAULT POLICY >> SEP POLICY

      dummy.PNG

       

      I then uploaded this to (DummyTestParser) datasource. I went to "GET EVENTS" and then refreshed, and the test event's appeared.

       

      Parsed.png

       

      Q3) Why can I not get the rule to fire for device (SWMN00XB08074 SEP) datasource?