This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Delimited variables in ESI

AdielNavarro
Beginner
Beginner

‎2016-04-05 05:58 PM

I tried to parser the next messages:

[software internal system syslog] CLI command [user admin, mode [local]VALGP]: directory /hd-raid/

[software internal system syslog] CLI command [user admin, mode [local]VALGP(config)]: config

 

I assign variable "hostname" to :VALGP and variable "action" to (config). ESI dont found any error, but when I check the messageid, hostname its parsed like "VALGP(config)"

 

Why this happened?

HOw can I delimited the variable "hostname in the first message?

0 Likes
8 REPLIES 8

Anonymous
Not applicable

‎2016-04-06 11:04 AM

Are you using the 10.6 ESI?

0 Likes

AdielNavarro
Beginner
Beginner
In response to Anonymous

‎2016-04-06 12:42 PM

Im using ESI 1.2.1

 

 

In the first message I assign variable "hostname" to :VALGP and ESI parsed OK, but when I check the second message, hostname its parsed like "VALGP(config)".

 

 

 

 

 

 

 

De: Sean Koniarz

Enviado el: miércoles, 06 de abril de 2016 10:05 a.m.

Para: Adiel Navarro

Asunto: Re: - Delimited variables in ESI

 

 

 

 

 

<https://community.rsa.com/?et=watches.email.thread> RSA Link

 

 

 

 

 

Delimited variables in ESI

 

 

reply from Sean Koniarz <https://community.rsa.com/people/q34uIDVMhd4OHUIP5ACqx9qzxaksNWWiSAtP3Ws58yc%3D?et=watches.email.thread> in Security Analytics - View the full discussion <https://community.rsa.com/message/869601?et=watches.email.thread#comment-869601>

0 Likes

Anonymous
Not applicable
In response to AdielNavarro

‎2016-04-06 03:25 PM

You will need to modify the parser manually.  You can use or statements in parsers tho, so that will help.  Going to try and write it out for what you will likely need to do with not knowing what your xml looks like.

 

Log

[software internal system syslog] CLI command [user admin, mode [local]VALGP]: directory /hd-raid/

Parser

[&lt;fld1&gt;] &lt;event_description&gt; [user &lt;event_user&gt;, mode [local]&lt;hostname&gt;]: &lt;results&gt;

Log

[software internal system syslog] CLI command [user admin, mode [local]VALGP(config)]: config

Parser

[&lt;fld1&gt;] &lt;event_description&gt; [user &lt;event_user&gt;, mode [local]&lt;hostname&gt;(&lt;action&gt;)]: &lt;results&gt;

 

As you can see with the top one it will add anything in the ]] section to hostname, but the second will do anything until the ( then it will do action for the rest.  It is very static on how the parsers work for that version.  But we can combine them like this

 

[&lt;fld1&gt;] &lt;event_description&gt; [user &lt;event_user&gt;, mode {[local]&lt;hostname&gt;]: | [local]&lt;hostname&gt;(&lt;action&gt;)]:} &lt;results&gt;

 

A | will act as an or statement for the parser so it is going to look at either the first style or the second style and parser correctly.  If you want to post your xml or let me know how it works.  I of course do not know the actual meta you want to populate but that was just for an example. 

0 Likes

AdielNavarro
Beginner
Beginner
In response to Anonymous

‎2016-04-06 03:55 PM

Let me try this, Sean

 

 

 

<MESSAGE

 

level="7"

 

parse="1"

 

parsedefvalue="1"

 

tableid="55"

 

id1="cli_30000_debug"

 

id2="cli_30000_debug"

 

eventcategory="1401040000"

 

content="[&lt;service&gt; &lt;&lt;cli:&lt;number1&gt;&gt; cliparse.c:&lt;number2&gt;] CLI command [user &lt;username&gt;, mode {[local]&lt;hostname&gt;]: | &lt;hostname&gt;(&lt;action&gt;)]:} &lt;msg&gt;"/>

 

 

 

 

When I try to check this in ESI, this send the next message:

 

 

 

 

 

 

 

GLOBO_FIRMA

 

L.I. Adiel Jesús Navarro Rosado

 

Analista OyM Seguridad Operativa

 

*: <mailto:adiel.navarro@mail.telcel.com> adiel.navarro@mail.telcel.com

 

 

 

De: Sean Koniarz

Enviado el: miércoles, 06 de abril de 2016 02:26 p.m.

Para: Adiel Navarro

Asunto: Re: - Delimited variables in ESI

 

 

 

 

 

<https://community.rsa.com/?et=watches.email.thread> RSA Link

 

 

 

 

 

Delimited variables in ESI

 

 

reply from Sean Koniarz <https://community.rsa.com/people/q34uIDVMhd4OHUIP5ACqx9qzxaksNWWiSAtP3Ws58yc%3D?et=watches.email.thread> in Security Analytics - View the full discussion <https://community.rsa.com/message/869605?et=watches.email.thread#comment-869605>

Preview file
25 KB
Preview file
24 KB
Preview file
1 KB
0 Likes

AdielNavarro
Beginner
Beginner
In response to Anonymous

‎2016-04-06 04:06 PM

What happend here?

 

 

CLI session started for Security Administrator staradmin on device /dev/pts/1 from ::ffff:10.188.62.7

 

 

I try to defined value “Security Administrator” like “group” and “staradmin” like “username”

 

 

When I check, only “Security” its parsed like group and “Administrator staradmin” its parsed like username

 

 

 

But in this message

 

 

 

CLI session started for Operator temporal on device /dev/pts/1 from ::ffff:10.188.6.7

 

 

“Operator” its defined like group and “temporal” like “username” ESI parsed this OK.

 

 

 

 

De: Sean Koniarz

Enviado el: miércoles, 06 de abril de 2016 02:26 p.m.

Para: Adiel Navarro

Asunto: Re: - Delimited variables in ESI

 

 

 

 

 

<https://community.rsa.com/?et=watches.email.thread> RSA Link

 

 

 

 

 

Delimited variables in ESI

 

 

reply from Sean Koniarz <https://community.rsa.com/people/q34uIDVMhd4OHUIP5ACqx9qzxaksNWWiSAtP3Ws58yc%3D?et=watches.email.thread> in Security Analytics - View the full discussion <https://community.rsa.com/message/869605?et=watches.email.thread#comment-869605>

Preview file
1 KB
0 Likes

Anonymous
Not applicable

‎2016-04-07 10:57 AM

Yeah so ESI in that state will actually consider the parsing a fail.  You will need to deploy it into SA for it to work

 

Also, the parsing you wrote has three issues, first, do not use the 'msg' meta to parse, the msg is used to display the entire log message, so you will be doubling data some times, unless it works for you but we do not do that. 

 

Second, there is too many spaces between the last } and the &lt;msg&gt;. 

 

Third you forgot to add the last local.

 

Below should work, I would suggest adding the parser to the SA system and see if the logs come through.  You can also inject the logs via CLI.   NwLogPlayer -f /path/to/log/file

 

And lastely, if you have access to the SCOL I would suggest downloading the new 10.6 ESI which will be able to do better parsing for SA.

 

content="[&lt;service&gt; &lt;&lt;cli:&lt;number1&gt;&gt; cliparse.c:&lt;number2&gt;]    CLI command [user &lt;username&gt;, mode {[local]&lt;hostname&gt;]: | [local]&lt;hostname&gt;(&lt;action&gt;)]:} &lt;msg&gt;"/>

0 Likes

AdielNavarro
Beginner
Beginner
In response to Anonymous

‎2016-04-12 10:09 AM

Sean.,

 

I only find ESI 1.2.1 on SCOL.

 

What is 10.6 ESI?

 

 

 

 

De: Sean Koniarz

Enviado el: jueves, 07 de abril de 2016 09:59 a.m.

Para: Adiel Navarro

Asunto: Re: - Delimited variables in ESI

 

 

 

 

 

<https://community.rsa.com/?et=watches.email.thread> RSA Link

 

 

 

 

 

Delimited variables in ESI

 

 

reply from Sean Koniarz <https://community.rsa.com/people/q34uIDVMhd4OHUIP5ACqx9qzxaksNWWiSAtP3Ws58yc%3D?et=watches.email.thread> in Security Analytics - View the full discussion <https://community.rsa.com/message/869659?et=watches.email.thread#comment-869659>

0 Likes

Anonymous
Not applicable
In response to AdielNavarro

‎2016-04-13 09:31 AM

With the release of 10.6 they added a new ESI tool designed for SA.  If you look in the SA Downloads you should see the new release. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.