Beruflich Dokumente
Kultur Dokumente
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
1 Introduction
This guide details how to create and deploy a custom advanced syslog parser (ASP) rule in the
McAfee ESM. A custom ASP rule could be necessary if there is an unknown/unparsed log in the McAfee ESM.
This guide also includes some “Best Practices” to follow when writing ASP rules.
2 Prerequisites
The following will be required, or useful, in creating custom parsing rules:
• Vendor documentation can be helpful to determine the meaning of each field in the logs desired to
be parsed.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
1. Select the Receiver, and then click on the “+” icon to add a data source.
2. The Add Data Source window will open, set the Data Source Vendor as Generic and the Data Source
Model as Advanced Syslog Parser. Give the new data source a name, add the proper IP address,
and ensure that the Support Generic Syslogs field is left as Do nothing.
3. Select OK, and then apply the new data source settings by confirming in the next
window. This will create a new data source with an empty rule policy.
3.2 Create a Custom Parsing Rule for ASP
1. From the McAfee ESM console, select the data source and open the Policy Editor.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
4. The Advanced Syslog Parser Rule window will appear. Within the General tab, assign information
as displayed below:
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
In the image below, the named capture group full_name has a value of “Sam Johnson”. This
named capture is being used as the Target Key for the first_name and last_name targeted
regular expressions. The regular expression for first_name and last_name will be evaluated
against the value of the full_name named capture. The result shows the key of first_name:1 with
a value of “Sam” and last_name:1 with a value of “Johnson”. This specific example could be done
within a single regular expression, and is a simplified example to illustrate the purpose of the
Target Key field used with regular expressions. In general, it is recommended to run as few
regular expressions as possible, but that may vary with specific use cases.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
6. Add applicable Content Strings by selecting Edit. These are very important and can drastically
affect performance of the created rule. Any content strings added will need to be a string that is
guaranteed to be within the log, as these act as a type of “prefilter”. Multiple unique content
strings can be added to increase the speed and efficiency of the rule.
7. Select applicable regular expression options by adding checks within the boxes add one or more
Regular Expressions by selecting the “+” symbol.
Only use regular expressions for parsing purposes – Checking this box will remove the
requirement for the first regular expression to match the log. The parser will rely upon the
Content String for matching purposes, and will only use regular expressions to parse data when it
finds a matching pattern.
Case Insensitive – If the log may contain either upper or lower case letters in some fields, it may
be simpler to write the expression in the same case and then use this option. This enables the
case insensitivity option for all regular expressions defined in the parsing rule.
Trigger when data doesn’t match – This option will make the rule trigger when the regular
expression does not match the log.
a. The Edit Regular Expression window will appear. Add the expression and select OK.
8. With the expression added, the parsed values should be highlighted in blue, with the Group and
Value shown to the right. Verify that each value is parsed out correctly and that all of the log line
samples match. Make sure to know the meaning (from the vendor device documentation or own
knowledge) of all the fields within the logs and capture the values that are useful.
9. After all the regular expressions are written to extract out the needed values from the log, select
the Field Assignment tab at the top of the window.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
11. Drag and drop the Values from the right hand side to the Expression column next to the Field on
the left.
a. For more complicated log file formats, multiple regular expressions may be used to
capture the same data. In such cases, a field such as First Time might come from one of
several potential several expressions. McAfee ESM allows the ability to specify the
regular expression values in order of preference, so that if one does not match, it will
use the second, or third, or so on. An example of this is shown below:
12. If the field is not displayed that is needed, click “+” above the Sample Value column, to display all
custom type fields.
13. The Custom Types window will now be displayed. Select the desired field and then select OK.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
15. Click on the final tab, Mapping. This section will allow parsing the date format, mapping the
action, and mapping the severity found within the log message.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
16. To add a Time Format, select the “+” symbol in the upper-right of the time format section.
b. Enter a custom time format. As the values are entered, a small window will appear to
assist in creating the custom time. The values can either be typed or selected from the
given list.
c. Select the fields that this custom format will apply to. It is best practice to apply it to
both First Time and Last Time.
d. Select OK to save.
17. To add an Action Map, find an applicable Action Value by scrolling through the list and then click
inside the Action Key column. Enter the value that will be parsed from the device logs. If this
value is parsed and assigned to “Action”, then it will map to the assigned Action Value.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
18. To add a Severity Mapping, select the “+” symbol in the upper-right of the Severity Mapping
section.
b. Within the Severity Mapping field, enter the value that will be parsed from the device
logs. If this value is parsed and assigned to “Severity”, then it will map to the assigned
Severity Value.
d. Select OK to save.
19. Below the Severity Mapping section, the option to add a default severity will be given. This is
generally a good option to set in order to insure that all logs receive a severity value. Depending
on the device, the default severity should be different. To add the default severity, place a check
next to Use the following severity for the default if one is not specified, and then enter a default
value.
20. With the previous steps complete, the new ASP rule should be finished. Select Finish, located in
the bottom-right hand corner to finish and save.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
1. Open the Policy Editor for the data source that the new ASP rule was created for, and beneath
Receiver, select Advanced Syslog Parser. The newly created ASP rule(s) will be listed with the
Action column displaying “disabled”. Click on disabled and then change the value to enabled.
2. With the new rule set as enabled, click on the Rollout icon displayed in the upper-right hand
corner of the Policy Editor window.
3. If the rule didn’t already save previously, it will prompt to save. Select Yes to save.
4. Once saved, the Rollout window will appear and will display a list of devices to roll policy out to.
Ensure that the applicable data source is set to “Roll this policy out now.” and select OK to do
so.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
1. Select the Custom Types option from the menu on the left.
Note: Select the Edit option to edit a user defined pre-existing custom type if needed.
3. The Add Custom Type window will appear. Setup the new custom type as desired and select OK.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
1. Obtain sample logs from the device that the new rule was created for and save these to a text
file.
3. The Data Source Properties window will appear, select the Upload button.
4. Navigate to the log sample file and select it to upload. Select the Upload button and then a
confirmation window will be displayed showing the file was successfully uploaded. Select Close
to close out the window.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
6. The Get Events and Flows window will appear. Select Events and then click the Start button to
collect the events.
7. Once the events are collected, find the events in the dashboard and verify the newly created ASP
rule is parsing as expected. If any adjustments need to be made, make the changes and then
send the sample logs through again to verify that the rule is parsing as expected.
6 Best Practices
The following are given as best practices that can help with creating ASP rules that work well within the
McAfee ESM.
Following these recommendations will help ensure reporting is accurate, not overly complex, and will
help parsers and Receivers maintain intended performance and efficiency.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
• Ensure that captured values mapped to ESM database fields align with the intended use of the
specific custom type fields.
• Avoid indexing fields that contain unique and random or high cardinality data such as URLs.
• Ensure rules mapping event messages directly from the log are not mapping unique and random
or high cardinality strings as messages. The ESM creates a data source rule for each unique event
message, and ESM performance can be negatively impacted if there are a high rate of unique
strings being mapped to message.
• Categorize events by adding a normalized category to the rule. Data source rules, generated by
parsing rules, inherit the normalization assigned to the main parsing rule. This means that if the
main parsing rule is left normalized to “Uncategorized”, then the parsed events will also be
normalized as “Uncategorized”, making a search for “Uncategorized” events to find unparsed
events in accurate.
6.3 Content
Ensure there is at least one value in the content field section. Content strings should be at least 3
characters in length and should be as unique as possible for the specific event. It is advised to include
enough content matches to uniquely identify the log. Using one or more content fields within the ASP rule
will significantly speed up the matching and parsing process on the Receiver.
The table below shows an example of how to use the content field to uniquely identify a log sample.
Syslog Sample Content Fields
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.
The information contained in this document is confidential and proprietary. Please do not
redistribute without permission.