Absent Member.
Absent Member.
469 views

WUC Custom parser for Kaspersky event log

Hi all,

I'm trying to implement WUC for Kaspersky Event Log with custom parser because it can't parse the log automatically. Followed WUC guide and some discussion on this portal, but did not succeed . Below is the raw log come to the ESM:


"EventlogType=Kaspersky Event Log&&EventIndex=10421&&WindowsVersion=Windows Server 2008 R2&&WindowsKeyMapFamily=Windows 2008 R2&&WindowsParserFamily=Windows 2008 R2|2008|7|Vista&&DetectTime=2014-5-26 14:51:38&&EventSource=kladminserver&&EventID=5&&EventType=Error&&EventCategory=0&&User=&&ComputerName=kas-antivirus.net&&Key[0]=PUREVSUREND-FD [Monday, May 26, 2014 2:51:37 PM (GMT+08:00)] (Web Anti-Virus): Result:    Detected: HEUR:AdWare.Script.Generic

Object:    http://secureclick-media-maynemyltf.netdna-ssl.com/Extensions/rjs/c2.js//JSPack

"

"EventlogType=Kaspersky Event Log&&EventIndex=10416&&WindowsVersion=Windows Server 2008 R2&&WindowsKeyMapFamily=Windows 2008 R2&&WindowsParserFamily=Windows 2008 R2|2008|7|Vista&&DetectTime=2014-5-26 13:42:9&&EventSource=kladminserver&&EventID=260&&EventType=Error&&EventCategory=0&&User=&&ComputerName=kas-antivirus.net&&Key[0]=BATBAYAR-G [Monday, May 26, 2014 1:42:07 PM (GMT+08:00)] (File Anti-Virus): Result:    Detected: Net-Worm.Win32.Kido.ih

Object:    C:\windows\system32\x

"

You can see that whole Kaspersky event log is mapped into Key[0], so I tried to parse it manually using __regexToken. Below is the key mapping file I created.

key.delimiter=&&

key.value.delimiter==

key.regexp=([^&=]+)

additionaldata.enabled=true

conditionalmap.count=1

conditionalmap[0].field=event.externalId

conditionalmap[0].mappings.count=2

conditionalmap[0].mappings[0].values=5

conditionalmap[0].mappings[0].event.name=__stringConstant("Web malware detected")

conditionalmap[0].mappings[0].event.message=Key[0]

conditionalmap[0].mappings[0].event.destinationHostName=__regexToken(Key[0],"(\\S+)\\s+\\[.*")

conditionalmap[0].mappings[0].event.fileName=__regexToken(Key[0],".*Object\:\t(\\S+).*")

conditionalmap[0].mappings[0].event.fileType=__regexToken(Key[0],".*Detected\:\\s(\\S+).*")

conditionalmap[0].mappings[0].event.deviceAction=__stringConstant("Virus detected")

conditionalmap[0].mappings[0].event.sourceProcessName=__regexToken(Key[0],".*\\[.*\\]\\s\\((.*)\\).*")

conditionalmap[0].mappings[1].values=260

conditionalmap[0].mappings[1].event.name=__stringConstant("Malware detected")

conditionalmap[0].mappings[1].event.message=Key[0]

conditionalmap[0].mappings[1].event.destinationHostName=__regexToken(Key[0],"(\\S+)\\s+\\[.*")

conditionalmap[0].mappings[1].event.fileName=__regexToken(Key[0],".*Object\:\t(\\S+).*")

conditionalmap[0].mappings[1].event.fileType=__regexToken(Key[0],".*Detected\:\\s(\\S+).*")

conditionalmap[0].mappings[1].event.deviceAction=__stringConstant("Virus detected")

conditionalmap[0].mappings[1].event.sourceProcessName=__regexToken(Key[0],".*\\[.*\\]\\s\\((.*)\\).*")


Unfortunately, it's not working. I only see "Malware detected" or "Web malware detected" from the console and other mapping is not working even the event.message. How can I solve this issue and where is the problem?

Labels (1)
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.