You would need to navigate to:
MANAGEMENT>Device Type Management
Select the checkbox next to the specific device/version combination to
which you wish to extend or add a new event. For example "NetScreen
ScreenOS 6.0"
If you wish to add a new device message for parsing, click "Add Device
Event Type". You need to now define the specifics of the new device
event; provide a unique device event ID and then select the CS-MARS
event to which this event ID will be mapped and then click "Apply"
If you wish to extend an existing parsed message, click "Edit Parser".
Next select the desired device event ID and click "Edit". You can then
add any necessary parsing changes to the selected device event ID.
In both instances, the last step is to define regular expression-based
patterns to parse out the various components of the raw message that the
device is generating and forwarding to the CS-MARS. You will work from
left to right in the raw message, each component is considered a
position and should be discernible by a consistent key pattern (i.e. tab
(\t), colon :, semi-colon ;, etc). Each pattern will need to then
define the parsed field information (source address, source port,
destination address, destination port, time, etc). CS-MARS will provide
some pre-defined patterns, but you can also create your own to match the
specifics of the message format. Add the patterns required to match and
parse the values of interest from the event in question. You can test
your pattern matching as you develop the parser.
Scott
