1 Reply Latest reply on Sep 21, 2015 10:10 AM by jrybicki

    Duplicate DS Rules ?


      Hi all,


      As you know, if we are working with unsupported datasource then we have to create a custom asp on it such as a custom application logs or a new brand device logs etc.. This is OK, however, I see repeated/duplicate data source rules belonging to same DS when I look to Policy Editor-> Receiver -> Data Source. pls see below picture.


      As you guess, each rules have different signture id and this means that it's not working properly any processes such as searching, correlation rules, alerts etc.. This problem is occure almost all custom asp rules. Does anyone have any suggestion?



        • 1. Re: Duplicate DS Rules ?



          I am assuming that these were created from a few ASP parsers?


          The nice thing about the ASP parser is that a single regex expression can create multiple Data Source Rules.  We can even create the event name dynamically if we so choose.   All you need to do is assign a descriptive filed to the Signature Description Parameter in the parser. You can combine a few descriptive parameters to get a nice result like User Failed Login  (Where User Failed is from Parameter 1 and  Login is from Parameter 2).  This way with one ASP parser, you can create User Failed Login, User Successful Login, User Failed Logout, and User Successful Logout so long as these 4 messages all meet the same regex statement.  My guess is that your regex is fitting several different log types but you have your ASP Rule name fixed instead of dynamic.  When the ASP parser fires it see new filed values and creates a new Data Source Rule but keeps the same name. Try editing your rules and create a dynamic rule description.  This will get you better results.   


          As far as the normalization part goes, are you changing your normalization for the parser you create?  If you have not, you can change them so that the match what other events from other devices are being normalized to.  If you forget to change the normalization, you will see these events come in as uncatagorized.  If you normalize your custom parsers (to something like Authentication for the example above), and build in dynamic regex expressions, you will likely have a much better time finding and using your custom parsers.


          I hope this helps,  let me know if you have any questions.