This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Does anyone have Cisco firepower manager custom Parsers created?

JohnBabio
Beginner
Beginner

‎2017-08-31 03:45 PM

I downloaded the logs from RSA netwitness, used esi tool to attempt to create parsers for the logs, then uploaded them following the proper directions. They refuse to get parsed properly. The security intelligence logs and the amp alert/ retrospective logs. I used the message id of malware which is either malware or restrospective. Any help would be greatly appreciated.

investigation-test.csv.zip
0 Likes
5 REPLIES 5

CHADHEILIG
Occasional Contributor
Occasional Contributor

‎2017-10-10 09:22 AM

We are about to go through the same thing. The logs from the Firepower is getting parsed as unknown,snort or ciscorouter and not getting parsed correctly. Going to try to utilize the ESI tool to create a custom parser and map it directly to the IP of our Firepower and hope we get the info we need out of it.

0 Likes

JohnBabio
Beginner
Beginner

‎2017-10-10 09:31 AM

A quick tip for creating these. Make sure your user profile is setup to export the log files as logs and not CSV. This will help when it comes to creating the parsers with ESI. Also if you are sending syslog messages for security intelligence events and it is coming from firewalls that are multi context you will need  multiple headers created. I managed to created parsers for fireamp malware, Security intelligence events, and Snort triggers. Let me know if you need anything.

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-10-11 11:40 AM

I have created one but the issue seems that you can customize the log content, and I have yet to see a messages with all the fields in it.  If I could please have someone get that to me offlist that would be great, as well as a screen shot of the config page on the firepower box so i can document what settings are chosen for the parser to work.  I can modify what I already have. 

0 Likes

JohnBabio
Beginner
Beginner
In response to DaveGlover

‎2017-10-11 01:22 PM

The only message i added a tag for is security intelligence. This one required multiple headers in order to grab them all. So basically as it send the syslog message to NW it adds the word SecurityIntelligence so I know what to look for. Snort sigs worked right out of the box, Security Intelligence needed a parser, and Malware required a parser as well.

0 Likes

CHADHEILIG
Occasional Contributor
Occasional Contributor

‎2017-10-11 01:34 PM

The logs for Dropped: Correlation Event and Not Dropped: Correlation (custom) gets parsed with snort parser (Header 0026 / message Snort_Alert.log). But the portion of the log that we need pulled (the Dropped / Not Dropped) is parsed as hfld1. And the same with the Malware / SecurityIntelligence/SFIMS : Correlation Event logs. Working on just creating a new parser that will utilize the field location that (Dropped / Not Dropped / Malware / SecurityIntelligence / SFIMS) is located.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.