SUMO is not able to parse Syslog and Syslog CEF format data

Comments

5 comments

  • Avatar
    Mohit Mehta

    Hey Mohan,

    Can you please provide the example logs and the data which you are trying to parse? Are you using Parse anchor or Parse regex?

    Please, also provide the query which you are using.

    Thanks,

    Mohit

    0
    Comment actions Permalink
  • Avatar
    Mohan Akurathi

    Hi Mohit,

    No, i am not using any parser in between. Logs are being sent from Symatec ICDX to SUMO in syslog format .

    I was hoping SUMO will understand the syslog format and parse fields accordingly. But it is not. It is json format wrapped in syslog.

    Below is format.i am seeing in sumo.

    <14>1 2020-07-01T19:01:49.170Z xxxxxx.x.xxxx.com icdx - 8040 [origin ip="" software="Symantec Integrated Cyber Defense Manager" swVersion="14.3.589.0000"] {"customer_uid":"xxxx-xxx","timezone":300,"user_name":"xxxx","type":"NETWORK_DETECTION","device_domain":"x.xxxx.com","product_ver":"14.3.589.0000","device_name":"xxxxxx","collector_device_ip":"xx.xx.xx.xx","category_id":1,"connection":{"src_ip":"","src_port":0,"src_service":"","direction_id":2,"ether_type":2048,"dst_port":0,"protocol_id":1,"src_name":"xxxxx","dst_ip":"xx.xx.xx.xx"},"device_end_time":xx,"id":1,"product_uid":"","device_time":,"policy":{"uid":"","rule_name":"","name":" ","state_ids":[4],"rule_uid":"xxxxx","version":"25"},"device_networks":[{"mac":""}, {"mac":""}, {"mac":""}, {"mac":""}, {"mac":""}],"feature_name":"FIREWALL","device_os_name":"Windows 10 Enterprise Edition","type_id":8040,"device_group":" ","count":1,"end_time":"2020-07-01T18:58:27.700Z","device_location":{"on_premises":false,"desc":"Default"},"logging_device_post_time":"2020-07-01T19:00:43.684Z","message":"ICMP [type=3, code=3]","version":"1.0","product_name":"Symantec Integrated Cyber Defense Manager","log_time":1593630074686,"actor":{"file":{"path":"","folder":"","name":""}},"device_ip":"","device_uid":"xxx","event_id":8040001,"collector_name":"API","severity_id":1,"time":1593629907700}

    0
    Comment actions Permalink
  • Avatar
    Mohit Mehta

    It looks like the starting of the messages:

    <14>1 2020-07-01T19:01:49.170Z xxxxxx.x.xxxx.com icdx - 8040 [origin ip="" software="Symantec Integrated Cyber Defense Manager" swVersion="14.3.589.0000"] 

    which is not parsing the JSON correctly. Looks like your JSON is starting from {"customer_uid":"xxxx-

    In that case, you need to parse the JSON section using the Parse regex.

    https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/02-Parse-Variable-Patterns-Using-Regex

    0
    Comment actions Permalink
  • Avatar
    Graham Watts

    The challenge here is that the json is wrapped in plain text due to syslog forwarding. We need to extract the json portion and then Sumo will print out the JSON for you in an easy to read and parse format. An example to parse out the JSON portion would be:

        _sourceCategory=<my_category>
        | parse regex ".*(?<json_object>\{\"customer_uid\".*)"

    Then you can use parse json on the 'json_object field' like this:

        _sourceCategory=<my_category>
        | parse regex ".*(?<json_object>\{\"customer_uid\".*)"
        | json field=json_object "customer_uid"


    Or

        _sourceCategory=<my_category>
        | parse regex ".*(?<json_object>\{\"customer_uid\".*)"
        | json auto field=json_object

    0
    Comment actions Permalink
  • Avatar
    Mohan Akurathi

    Mohit -  Thanks for the details.

     

    @Graham Watts : I appreciate your help. I used your input to parse fields properly in JSON format without any issues.

    Thank you very much.

    0
    Comment actions Permalink

Please sign in to leave a comment.