Custom parser difficulties.

colmfahy · ‎03-02-2010

I am trying to parse a Windows 2008 '4624' event log entry as a proof-of-concept before parsing other high-priority Windows Server 2008 events.

I have created a 'parser' which will work flawlessly when using the 'test' feature within Mars 6.x.

However I am unable to get this 'parser' to interpret incoming events from the server.

* Events are being forwarded from the server using snare.

* Copying the event from 'Event raw messages' report output (where "Parsing error or event type unknown:" has been pre-pended to the message)

and pasting directly into the parser test screen, the message will be successfully parsed by the test parser.

* I have configured the device as a 'windows-generic' device but have NOT configured the MARS to receive OR pull logs from the device - hence, the only software configured on the device is the custome framework I have created.

Anyone any thoughts or have I missed something very simple?

Kind regards

Colm

Mykola Srebnyuk · ‎03-04-2010

Hi,

try:

1. To create a new one device type (as example win2008 generic).

2. Create a new device event type (add to this NEW event type).

3. Then create parser's patterns.

4. Then create new device (selest OS Windows --->>> Receive events ), go to tab Reporting applications and add a new one created device type (as example Win 2008 generic)

5. Thats all.

P.S In snare please enable syslog header. Thats all.

Kind regards,

Nick