AnsweredAssumed Answered

Missing last value field in tagval message

Question asked by David Waugh on Jul 6, 2017
Latest reply on Jul 10, 2017 by David Waugh

I'm trying to parse the following custom log messages:

 

%AUDITD-4: type=EXECVE msg=audit(1499333941.360:486455): argc=3 a0="ls" a1="-lhatr" a2="/var/netwitness/concentrator/index"

 

Basically there can be any number of arguments and they are of the for argn=" "

 

I thought I would try and use the tagval parser map and defined the following message:

 

<TAGVALMAP
                delimiter="  &quot;" />

 

  <MESSAGE
                level="6"
                parse="1"
                parsedefvalue="1"
                tableid="89"
                id1="%AUDITD-4:13"
                id2="%AUDITD-4"
                eventcategory="1612000000"
                tagval="true"
                missField="true"
 content="type=&lt;event_description&gt; msg=audit(&lt;fld1&gt;): argc=&lt;fld2&gt; a0=&quot;&lt;filename&gt;&quot; a1=&quot;&lt;a1&gt;&quot; a2=&quot;&lt;a2&gt;&quot; a3=&quot;&lt;a3&gt;&quot; a4=&quot;&lt;a4&gt;&quot; a5=&quot;&lt;a5&gt;&quot; a6=&quot;&lt;a6&gt;&quot; a7=&quot;&lt;a7&gt;&quot; a8=&quot;&lt;a8&gt;&quot; "/>

 

 

 

 

However when I try and load the parser I get the following error:

 

Jul  6 10:18:04 SIEM-DO-HLD01 NwLogDecoder[31525]: [LogParse] [failure] Invalid message for auditd, id %AUDITD-4:13: Missing last value field in tagval message

 

Can anyone help perhaps Dave Glover?

Outcomes