Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
1
Replies

Custom parser difficulties.

colmfahy
Level 1
Level 1

‎03-02-2010 03:00 AM

I am trying to parse a Windows 2008 '4624' event log entry as a proof-of-concept before parsing other high-priority Windows Server 2008 events.

I have created a 'parser' which will work flawlessly when using the 'test' feature within Mars 6.x.

However I am unable to get this 'parser' to interpret incoming events from the server.

* Events are being forwarded from the server using snare. 

* Copying the  event from 'Event raw messages' report output (where "Parsing error or event type unknown:" has been pre-pended to the message)

  and pasting directly into the parser test screen, the message will be successfully parsed by the test parser.

* I have configured the device as a 'windows-generic' device but have NOT configured the MARS to receive OR pull logs from the device - hence, the only software configured on the device is the custome framework I have created.

Anyone any thoughts or have I missed something very simple?

Kind regards

Colm

Labels:
0 Helpful
1 Reply 1

Mykola Srebnyuk
Level 1
Level 1

‎03-04-2010 02:34 AM

Hi,

try:

1. To create a new one device type (as example win2008 generic).

2. Create a new device event type (add to this NEW event type).

3. Then create parser's patterns.

4. Then create new device (selest OS Windows --->>> Receive events ), go to tab Reporting applications and add a new one created device type (as example Win 2008 generic)

5. Thats all.

P.S In snare please enable syslog header. Thats all.

Kind regards,

Nick

0 Helpful
Customers Also Viewed These Support Documents