AnsweredAssumed Answered

ESM CEF Syslog Template for report/dashlet creation

Question asked by Marinos Roussos on Feb 16, 2018
Latest reply on Feb 19, 2018 by Marinos Roussos

I am trying to use what used to be “ESM CEF Syslog Template” for Syslog notifications in admin->event sources-> monitoring policies.


Ultimately, I would like to create reports from the META values from that Syslog notification like it was possible previously. RSA haven’t provided a proper method of having event source notifications in a dashlet so I am trying to improvise to see what I can put on a dashlet.


This template is not there anymore and used to generate rsa_security_analytics_event_source_monitoring device.type.


The current “ESM Default Syslog Template” also generates that device.type but the syslog payload is not parsed, therefore useless.



I tried using legacy CEF Syslog template that was ported from 10.4 and getting these errors:


CEF:0|RSA|Security Analytics ESA|10.4|${statement}|${moduleName}|${severity}|rt=${time?datetime} id=${id} source=${eventSourceId}


2018-02-16 14:49:29,556 [scheduler_Worker-1] ERROR freemarker.runtime - Template processing error: "Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd."


Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd.

The problematic instruction:


==> ${statement} [on line 1, column 39 in 5a86bce2f280b718fc2132dd]



Java backtrace for programmers:


freemarker.core.InvalidReferenceException: Expression statement is undefined on line 1, column 41 in 5a86bce2f280b718fc2132dd.

        at freemarker.core.TemplateObject.assertNonNull(

        at freemarker.core.Expression.getStringValue(

        at freemarker.core.Expression.getStringValue(

        at freemarker.core.DollarVariable.accept(

        at freemarker.core.Environment.visit(

        at freemarker.core.MixedContent.accept(

        at freemarker.core.Environment.visit(

        at freemarker.core.Environment.process(

        at freemarker.template.Template.process(

        at com.rsa.netwitness.carlos.notification.Notification.resolve(

        at com.rsa.netwitness.carlos.notification.NotificationEngine.resolve(

        at com.rsa.netwitness.carlos.notification.NotificationEngine.dispatch(

        at com.rsa.smc.esm.core.alert.notification.NotificationService.dispatch(

        at com.rsa.smc.esm.core.alert.notification.NotificationService.dispatchAlarm(

        at com.rsa.smc.esm.core.alert.notification.NotificationService.processNotifications(




        at org.quartz.simpl.SimpleThreadPool$


I then tried to use some of the variables from 10.5 Default Audit CEF templates and got a similar error like before:


CEF:0|${deviceVendor}|${deviceProduct}|${deviceVersion}|${category}|${operation}|${severity}|rt=${timestamp} src=${sourceAddress} spt=${sourcePort} suser=${identity} sourceServiceName=${deviceService} deviceExternalId=${deviceExternalId} deviceProcessName=${deviceProcessName} outcome=${outcome} msg=${text}


This worked perfectly before; I don’t know what RSA have done in the meantime. All the variables where previously defined and worked OOTB so I assumed that I wouldn’t have to start hacking XMLs and break parsers for making this to work.


In attach, you can see a screenshot and a sample report of how it used to work in the past.