I downloaded the logs from RSA netwitness, used esi tool to attempt to create parsers for the logs, then uploaded them following the proper directions. They refuse to get parsed properly. The security intelligence logs and the amp alert/ retrospective logs. I used the message id of malware which is either malware or restrospective. Any help would be greatly appreciated.
We are about to go through the same thing. The logs from the Firepower is getting parsed as unknown,snort or ciscorouter and not getting parsed correctly. Going to try to utilize the ESI tool to create a custom parser and map it directly to the IP of our Firepower and hope we get the info we need out of it.
A quick tip for creating these. Make sure your user profile is setup to export the log files as logs and not CSV. This will help when it comes to creating the parsers with ESI. Also if you are sending syslog messages for security intelligence events and it is coming from firewalls that are multi context you will need multiple headers created. I managed to created parsers for fireamp malware, Security intelligence events, and Snort triggers. Let me know if you need anything.
I have created one but the issue seems that you can customize the log content, and I have yet to see a messages with all the fields in it. If I could please have someone get that to me offlist that would be great, as well as a screen shot of the config page on the firepower box so i can document what settings are chosen for the parser to work. I can modify what I already have.
The only message i added a tag for is security intelligence. This one required multiple headers in order to grab them all. So basically as it send the syslog message to NW it adds the word SecurityIntelligence so I know what to look for. Snort sigs worked right out of the box, Security Intelligence needed a parser, and Malware required a parser as well.
The logs for Dropped: Correlation Event and Not Dropped: Correlation (custom) gets parsed with snort parser (Header 0026 / message Snort_Alert.log). But the portion of the log that we need pulled (the Dropped / Not Dropped) is parsed as hfld1. And the same with the Malware / SecurityIntelligence/SFIMS : Correlation Event logs. Working on just creating a new parser that will utilize the field location that (Dropped / Not Dropped / Malware / SecurityIntelligence / SFIMS) is located.