This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Missing last value field in tagval message

Go to solution
david_waugh
Beginner
Beginner

‎2017-07-06 06:22 AM

I'm trying to parse the following custom log messages:

 

%AUDITD-4: type=EXECVE msg=audit(1499333941.360:486455): argc=3 a0="ls" a1="-lhatr" a2="/var/netwitness/concentrator/index"

 

Basically there can be any number of arguments and they are of the for argn=" "

 

I thought I would try and use the tagval parser map and defined the following message:

 

<TAGVALMAP
                delimiter="  &quot;" />

 

  <MESSAGE
                level="6"
                parse="1"
                parsedefvalue="1"
                tableid="89"
                id1="%AUDITD-4:13"
                id2="%AUDITD-4"
                eventcategory="1612000000"
                tagval="true"
                missField="true"
 content="type=&lt;event_description&gt; msg=audit(&lt;fld1&gt;): argc=&lt;fld2&gt; a0=&quot;&lt;filename&gt;&quot; a1=&quot;&lt;a1&gt;&quot; a2=&quot;&lt;a2&gt;&quot; a3=&quot;&lt;a3&gt;&quot; a4=&quot;&lt;a4&gt;&quot; a5=&quot;&lt;a5&gt;&quot; a6=&quot;&lt;a6&gt;&quot; a7=&quot;&lt;a7&gt;&quot; a8=&quot;&lt;a8&gt;&quot; "/>

 

 

 

 

However when I try and load the parser I get the following error:

 

Jul  6 10:18:04 SIEM-DO-HLD01 NwLogDecoder[31525]: [LogParse] [failure] Invalid message for auditd, id %AUDITD-4:13: Missing last value field in tagval message

 

Can anyone help perhaps wRAlmdLu8uOnkbiouAPmB5mqnlFr6baANOTo7eT0Oa4=‌?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-07-06 01:25 PM

Dave

 

You are already calling out the quot in the header part:

 

<TAGVALMAP
                delimiter="  &quot;" />

 

There is no reason to call it out in your parser:

 

content="type=&lt;event_description&gt; msg=audit(&lt;fld1&gt;): argc=&lt;fld2&gt; a0=&quot;&lt;filename&gt;&quot; a1=&quot;&lt;a1&gt;&quot; a2=&quot;&lt;a2&gt;&quot; a3=&quot;&lt;a3&gt;&quot; a4=&quot;&lt;a4&gt;&quot; a5=&quot;&lt;a5&gt;&quot; a6=&quot;&lt;a6&gt;&quot; a7=&quot;&lt;a7&gt;&quot; a8=&quot;&lt;a8&gt;&quot; "/>

Should be:

content="type=&lt;event_description&gt; msg=audit(&lt;fld1&gt;): argc=&lt;fld2&gt; a0=&lt;filename&gt; a1=&lt;a1&gt; 

and so on

Dave

 

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-07-06 01:25 PM

Dave

 

You are already calling out the quot in the header part:

 

<TAGVALMAP
                delimiter="  &quot;" />

 

There is no reason to call it out in your parser:

 

content="type=&lt;event_description&gt; msg=audit(&lt;fld1&gt;): argc=&lt;fld2&gt; a0=&quot;&lt;filename&gt;&quot; a1=&quot;&lt;a1&gt;&quot; a2=&quot;&lt;a2&gt;&quot; a3=&quot;&lt;a3&gt;&quot; a4=&quot;&lt;a4&gt;&quot; a5=&quot;&lt;a5&gt;&quot; a6=&quot;&lt;a6&gt;&quot; a7=&quot;&lt;a7&gt;&quot; a8=&quot;&lt;a8&gt;&quot; "/>

Should be:

content="type=&lt;event_description&gt; msg=audit(&lt;fld1&gt;): argc=&lt;fld2&gt; a0=&lt;filename&gt; a1=&lt;a1&gt; 

and so on

Dave

 

0 Likes

Go to solution
david_waugh
Beginner
Beginner
In response to DaveGlover

‎2017-07-10 04:21 AM

Thanks very much @Dave_Glover that did the trick.

© 2022 RSA Security LLC or its affiliates. All rights reserved.