1 2 Previous Next 16 Replies Latest reply on Dec 21, 2016 5:02 PM by andy777

    ds rules




      can someone please explain me what is the data source rules ?

      and why i have so many ds rules on  1 data source ?



        • 1. Re: ds rules

          Data Source rules are rules specific to a data source type.  There are three primary types that will typically generate a lot of data source rules, these are "auto Learned" for the SIEM.


          For windows event log's they will get parsed and added as data source rules.  E.G. If you have a custom service creating events in the security event log, and you are gathering the security event log.


          Then Vulnerability data sources (Rapid7, Nessus, etc) will generate datasource rules from the scan results data.


          Then lastly you will have data source rules auto generated by data sources that are syslog sources where you specified in the data source definition option "Support Generic Syslogs-Process as generic syslog"  this typically bombs out the data source rules if you leave this option on.  As it will instantiate a DS rule per line of syslog.  Only use the "parse as generic syslog" TEMPORARILY.  Then write a regex ASP parser rule and, ensure to enable that new ASP rule in the Policy you have associated with the "parse as generic syslog" data source, and then set that data source to "Support Generic Syslogs-Do nothing" then roll out policy.

          1 of 1 people found this helpful
          • 2. Re: ds rules



            can i disable auto Learned ?


            if Support Generic Syslogs configured as "log Unknown..." , auto Learned still gonna work ?

            • 3. Re: ds rules

              No way that I know of.


              Log unknow will lump all into generic "rule message"

              • 4. Re: ds rules

                so if i have syslog data source and i want to avoid auto Learned i need to configure Support Generic Syslogs as "do nothing " ?

                • 5. Re: ds rules


                  • 6. Re: ds rules


                    i think it is not working ..... take alook

                    what do you  think ?

                    this is after i change to "do nothing" and delete all the auto learned rules (as you can see its pop up again)


                    • 7. Re: ds rules

                      Did you create a custom ASP parser rule?  Did you write the DS config to the reciever and re-roll out policy?

                      • 8. Re: ds rules

                        these data source rules are created as part of ASP, autolearnt. What are you trying to achieve?

                        • 9. Re: ds rules

                          yes , the ASP rules are working fine

                          but I'm not understand why i have this DS auto leaned rules


                          what you mean by "write the DS config to the reciever" ?



                          1 2 Previous Next