Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Create a New Log Parser

 

Use the New Log Parser page to create your own log parser by using sample logs. You can build your own parser by mapping fields in your sample logs to Security Director Insights event fields, indicating which types of events will generate an incident.

To create a new log parser:

  1. Select Configure > Insights > Log Parsers.

    The Log Parsers page appears.

  2. Select the plus icon (+).

    The New Log Parser page appears.

  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click Finish, and you are presented with the results of your flexible log parser as they are applied to the sample logs provided.

    Review the results carefully to determine whether your mapping, filtering, and assignment conditions are as expected.

Table 1: Add New Log Parser

Setting

Guideline

Create/Edit Parser

Name

Enter a unique and descriptive name for the log parser.

Description

Enter a description for the log parser.

Parse Log File

Raw Log

Upload the raw log file by browsing to it, or paste the log data in a separate field provided below the Browse button.

Ensure the log file contains an RFC-compliant syslog header.

Log File Format

Specify the format of the sample log file. The available options are:

  • XML

  • JSON

  • CSV

  • Others

CSV Headers

(if the log file format is CSV)

If your log file is in CSV format, you may provide a comma-delimited list of field names in this field. If the CSV headers are not provided, the fields will be named as csvN, where N is the field position.

Grok Pattern

(if the log file format is others)

If you select the Others option for the log file format, you must supply a grok pattern for the log file. A grok pattern may consist of one or more lines. The grok pattern line beginning with LOGPATTERN is the pattern that will be applied to the logs. A grok pattern must include a pattern named LOGPATTERN, otherwise the parser will not have any pattern to use.

Field Mapping

Mapped Fields and Unmapped Fields

In the Unmapped Field section, select a field in the Parsed Fields column and then select a value in the Insights Fields column to map. After selecting both the fields, click Map. The mapped fields now appear in the Mapped Fields section, which lists all fields that have been mapped to each other.

You can perform the following actions from the Field Mapping page:

  • Click a circular arrow icon in the Mapped Fields section to undo a mapping.

  • Click the filter icon in the Unmapped Fields section to enter text for searching.

  • In the Unmapped Fields section, you can select multiple fields from the Parsed Fields column and map them to one field from the Insights Fields column. When you do this, a sort icon appears in the Mapped Fields section. Use the Sort capability to select the order in which multiple fields are applied based on whether those fields contain a valid value or not. Higher in the order takes priority.

  • Select the Counter check box to count the number of times a field appears.

Note: Fields marked with * are mandatory.

Date Format

Field Mapping: Format Date and Time

This is an optional configuration. You can leave this field blank, if your log file is using a standard time as dictated by RFC 3164 or RFC 5424. Those headers are automatically parsed. If the timestamp cannot be parsed, use the Ruby strftime to provide a format string so that Security Director Insights can interpret the date and time in your log file as the event start time.

For more information about the Ruby strftime format, see https://ruby-doc.org/core-2.3.0/Time.html#method-i-strftime.

Log Filtering

Log Filtering

You can create filters to notify Security Director Insights about malicious and unmalicious events as you decide what logs are to be kept and which ones can be ignored. Log filtering removes logs that are “noisy” and not of particular interest and retains logs that are related to malicious events.

With these filters, you can select exact match or contains filter for the string you enter.

Click Add and configure filtering conditions as follows:

  • Select a log file field from the list.

  • Select a suitable filter condition from the list such as Matches, Contains, Does not Contain, and so on. If you select Matches, your provided string must match the selected field exactly. If you select Contains, your provided string must appear as a substring within the selected field.

  • In the edit field, enter a string to filter log files, and then click Add.

Click OK and your condition is added to the filter. You can add multiple filters. An “or” condition is applied to the list of filters; therefore, the order of filters is not relevant.

Note: Select the check box for a filter and click Delete to remove that filter.

Conditions Assignment

Assign Conditions

You can assign different conditions to an event, based on the filtering parameters you configure.

  • Event Severity—Assign conditions to define the severity of an event.

    Click Add and set conditions as follows:

    • Select a severity level. The options are Benign, Low, Medium, High, and Critical.

    • Select a field from the list to set the severity level for that field.

    • Select a condition. For example, If you select Matches, your string must match the selected field exactly. If you select Contains, your string must appear as a substring within the selected field.

    • In the edit field, enter a string to filter log files and click Add.

  • Progression—Assign conditions to define the progression of an event.

    Click Add and set conditions as follows:

    • Select a progression level. The options are Phishing, Exploit, Download, Infection, and Execution.

    • Select a field from the list to set the progression level for that field.

    • Select a condition. For example, If you select Matches, your string must match the selected field exactly. If you select Contains, your string must appear as a substring within the selected field.

    • In the edit field, enter a string to filter log files and click Add.

  • Blocked—Assign conditions to define the event is blocked or not.

    Click Add and set conditions as follows:

    • Select a blocked level. The options are True and False.

    • Select a field from the list to set the block level for that field.

    • Select a condition. For example, If you select Matches, your string must match the selected field exactly. If you select Contains, your string must appear as a substring within the selected field.

    • In the edit field, enter a string to filter log files and click Add.