AnsweredAssumed Answered

ESM Syslog Template & Parsing

Question asked by Shishir Kumar on Dec 13, 2019
Latest reply on Jan 7, 2020 by Shishir Kumar

Hi All,

 

We have recently moved to v11.3.1.1 on Netwitness and I am trying ot use the default Event Source monitoring to send syslog to one of our decoders when a device is inactive for a certain period of time. The default syslog template that is included for v11.3 is as below:

 

<@compress single_line=true>CEF:0|RSA|NetWitness Platform Event Source Monitoring|${version}|
<#if highAlarmsCount &gt; 0> HighThresholdAlert|ThresholdExceeded|1|cat=${group}|Devices|
<#list 0..highAlarmEventSources?size - 1 as es> <#assign highAlarms = highAlarmEventSources[es]?split("^")>src=${highAlarms[0]}
<#if highAlarms?size &gt; 1><#list 1..highAlarms?size - 1 as i> cs${i}=${highAlarms[i]}</#list></#if>|
</#list></#if> <#if lowAlarmsCount &gt; 0>LowThresholdAlert|ThresholdViolated|1|cat=${group}|Devices|
<#list 0..lowAlarmEventSources?size - 1 as es> <#assign lowAlarms = lowAlarmEventSources[es]?split("^")>src=${lowAlarms[0]}
<#if lowAlarms?size &gt; 1><#list 1..lowAlarms?size - 1 as i> cs${i}=${lowAlarms[i]}</#list></#if>|
</#list></#if></@compress>

 

This syslog does not parse with the latest CEF parser. It is very dishearting to see Netwitness not able to parse its own Syslog from the default template.Is there a particular parser already available for this?

 

I would also like to know if there is information on other keys that could be included in this template to have in more information.

 

Thanks in advance for the help.

Outcomes