Step by step - Parser syslog Logger

Hello everyone,

I made a configuration to parse with my regex the logs syslog in ArcSight Logger, but the configuration didn't show me the modification that I did.

Parser:

\<\d \>(?<TimeStamp_1>\S \d \d :\d :\d ) (?<Word_1>\S ) \S : (?<Word_3>\S )\|\|\S =\|\S =(?<IPAddress_1>\d \.\d \.\d \.\d )\|\S =(?<IPAddress_2>\d \.\d \.\d \.\d )\|\w =(?<HostName_1>[^|]*)\|\w =(?<Number_2>\d )\|\w =(?<Number_3>\d )\|\w =(?<Number_4>\d )\|\w =(?<Number_5>\d )\|\w =(?<Word_13>[^|]*)\|\w =(?<Word_16>[^|]*)\|\w =(?<Word_19>\w )\|\w =(?<Url_1>[^|]*)\|\w =[^|]*\|\w =\|\w =\|\w =(?<Number_6>\d )\|\w =[^|]*\|\w =[^|]*\|\w =[^|]*\|\w =([^|]*)\|\w =([^|]*)\|.*

Name: MWG-Teste

Source Types:

Name=MWG ; Description=McAfee Web Gateway; Parser=MWG-Teste

Receiver:

Name=McAfee Web Gateway; IP/Host=ALL; Port=9999; Encoding=UTF-8; Source Type=MWG; Enable=is checked

RAW EVENT:

<30>Apr 23 14:22:41 LANGOLANGO01 mwg: McAfeeWG||auth_user=|src_ip=10.10.10.12|server_ip=8.8.8.8|host=login.windows.net|url_port=443|status_code=200|bytes_from_client=2248|bytes_to_client=13408|categories=Software/Hardware|rep_level=Minimal Risk|method=CONNECT|url=https://login.windows.net|media_type=|application_name=|user_agent=|block_res=0|block_reason=|virus_name=|hash=|filename=|filesize=0|

Who can help me?

Remember: My device is ArcSight Logger Appliance, I don't are using the ArcSight SmartConnector; 

Thanks for your help.

Parents
  • Verified Answer

    Hello!

    One of the reasons this post has not been answered yet may be that  your question and related issue are rather complex and will take some time to investigate. 

    Since we do have a SmartConnector for that product, why don't you use it? Any technical or process reason for that?

    Are you expecting the logger to parse the logs as they come in? 

    This is possible, you can do it at ingestion, once you have defined a source type, you need to edit the receiver and set the source type for the receiver the logs are coming to. That may be causing your issue.

    If this feedback does not help at all, please get in touch with our support team!

     

Reply
  • Verified Answer

    Hello!

    One of the reasons this post has not been answered yet may be that  your question and related issue are rather complex and will take some time to investigate. 

    Since we do have a SmartConnector for that product, why don't you use it? Any technical or process reason for that?

    Are you expecting the logger to parse the logs as they come in? 

    This is possible, you can do it at ingestion, once you have defined a source type, you need to edit the receiver and set the source type for the receiver the logs are coming to. That may be causing your issue.

    If this feedback does not help at all, please get in touch with our support team!

     

Children