search

mcholste / elsa

Enterprise Log Search and Archive
GNU General Public License v2.0
207 stars 51 forks source link

adding new parser - so close - no cigar #30

Open andycapp opened 8 years ago

andycapp commented 8 years ago

I cant figure out where I am going wrong.

I have built the following pattern:

`

fortinet 
    <rules>
        <rule provider="ADMIN" class='21000' id='21000'>
            <patterns>
                <pattern>date=@ESTRING:: @time=@ESTRING:: @devname=@ESTRING:: @devid=@ESTRING:: @logid=@ESTRING:: @type=event subtype=user level=notice vd=@ESTRING:: @logdesc="FSSO logon authentication status" srcip=@IPv4:i0:@ user=@QSTRING:s0:"@ server=@QSTRING:s1:"@@ANYSTRING::@</pattern>
            </patterns>
            <examples>
                <example>
                    <test_message program="fortinet">date=2015-12-15 time=13:41:16 devname=FG300C391xxxxxxx devid=FG300C391xxxxxxxx logid=0102043014 type=event subtype=user level=notice vd="DMZ1" logdesc="FSSO logon authentication status" srcip=x.x.x.x user="USERNAME" server="SERVERNAME" action=FSSO-logon msg="FSSO-logon event from SERVERNAME: user USERNAME logged on x.x.x.x"</test_message>
                    <test_values>
                        <test_value name="i0">x.x.x.x</test_value>
                        <test_value name="s0">USERNAME</test_value>
                        <test_value name="s1">SERVERNAME</test_value>
                    </test_values>
                </example>
            </examples>
        </rule>
    </rules>
</ruleset>

` Which I have merged using pdbtool after successfully testing it.

I have added the following class and fields_classes_map entries to the db.. (fields were pre-existing) ' +-------+---------------+-----------+ | id | class | parent_id | +-------+---------------+-----------+ | 21000 | FORTINET_FSSO | 0 | +-------+---------------+-----------+

+----------+----------+-------------+ | field_id | class_id | field_order | +----------+----------+-------------+ | 15 | 21000 | 5 | | 26 | 21000 | 6 | | 45 | 21000 | 7 | +----------+----------+-------------+ ` and restarted syslog-ng....

The logs are being classified properly - showing up as class=FORTINET_FSSO but the srcip is being parsed as 0.0.67.64, user as 0 and device as 0 (consistently)...

I've got to be missing/misunderstanding something simple?

NoX1De commented 8 years ago

Does this help at all?:

https://github.com/Security-Onion-Solutions/security-onion/wiki/CustomELSAParsers

Did you test the new parser pattern with the pdbtool test command ? Did you ever get this working?