AnsweredAssumed Answered

ESM Syslog Template & Parsing

Question asked by Shishir Kumar on Dec 13, 2019
Latest reply on Jan 7, 2020 by Shishir Kumar

Hi All,


We have recently moved to v11.3.1.1 on Netwitness and I am trying ot use the default Event Source monitoring to send syslog to one of our decoders when a device is inactive for a certain period of time. The default syslog template that is included for v11.3 is as below:


<@compress single_line=true>CEF:0|RSA|NetWitness Platform Event Source Monitoring|${version}|
<#if highAlarmsCount &gt; 0> HighThresholdAlert|ThresholdExceeded|1|cat=${group}|Devices|
<#list 0..highAlarmEventSources?size - 1 as es> <#assign highAlarms = highAlarmEventSources[es]?split("^")>src=${highAlarms[0]}
<#if highAlarms?size &gt; 1><#list 1..highAlarms?size - 1 as i> cs${i}=${highAlarms[i]}</#list></#if>|
</#list></#if> <#if lowAlarmsCount &gt; 0>LowThresholdAlert|ThresholdViolated|1|cat=${group}|Devices|
<#list 0..lowAlarmEventSources?size - 1 as es> <#assign lowAlarms = lowAlarmEventSources[es]?split("^")>src=${lowAlarms[0]}
<#if lowAlarms?size &gt; 1><#list 1..lowAlarms?size - 1 as i> cs${i}=${lowAlarms[i]}</#list></#if>|


This syslog does not parse with the latest CEF parser. It is very dishearting to see Netwitness not able to parse its own Syslog from the default template.Is there a particular parser already available for this?


I would also like to know if there is information on other keys that could be included in this template to have in more information.


Thanks in advance for the help.