This version is no longer current, the latest version is Security Analytics Parser 2.1.63, Link below.
Attached is a log parser that will allow Security Analytics to consume its own logs and properly parse them. This parser will also parse the syslog audit logs sent from the SA GUI. There are ESA alerts, Reports, Investigation Meta Group, table-map-custom.xml and the Concentrator/Broker Custom indexes. This parser works on 10.3.x and 10.4 (it will parse the messages common between 10.3x and 10.4x). It does not contain new log entries from 10.4, like for the puppet service.
This version is much more comprehensive and parses the log events into proper meta keys and event categories.
I wrote this to help fill the audit gap that exists in SA and to help with system monitoring.
It also includes a list the event categories and the event parser lines to help with building reports, alerts and queries.
If you have an SA Log entry that is not getting parsed, send it to me and I will see about adding it to the next version.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.