3 Replies Latest reply on Aug 30, 2015 1:01 PM by itzamlan

    parsing syslog events using ESM

    danali

      i'm a newbie to ESM.

      i started to used it in order to collect my internal (custom) syslogs

      i succeeded in configuration of this data source using this guide, and i can see the logs collected

      SIEM Foundations: Configuring a SYSLOG Data Source.

       

      but my problem is, i'm not sure if is it possible to parse my logs (to get the different custom fields (as i can do using Splunk).

       

      thanks dana

        • 1. Re: parsing syslog events using ESM
          danali

          Just to make it clear - My goal was to have the syslog events parsed in ESM/ELM so I could query them using the web UI and the REST API.

          • 2. Re: parsing syslog events using ESM
            bblanchard

            Hi Dana,

             

            Open your ESM console, select the data source you'd like to have that parsing rule applied to and click on the policy icon (top left). From the policy editor menu, click on New and create a new Advanced Syslog Parsing rule. Enter your REGEX expression and assign to the fields that you want and save it. Then "Enable" your rule and it should now apply to that data source.

            • 3. Re: parsing syslog events using ESM
              itzamlan

              Hi, I am new to the ESM appliance. I just had one demo session of how to put the regexes for parsing the logs. Here my doubt is.. Is there only one console available for putting the regexes for all the logs?

               

              Here in my case I have around 5 different databases, so the logs are much different in each of the case. Is it like, I can put only one regex which would do work for all available logs? Or I can put regexes for each kind of event? Kindly clarify.