Parsing rules
Parsing rules solve work with messages, which are coming to the Logmanager. Every message must go thru a parsing rule. Parsing rule can extend the message for a new attributes created based on the processed message. Logmanager includes set of internal parsing rules, which can be used to process messages. It is also possible to create own rules with arbitrary rules including processing of regular expressions.
Base parsing rule is, for example, conversion of a message in JSON format. Input data are decoded to a individual variables containing data and then are saved to the system.
Parsing rules are created with Events processing in blockly.
Table shows basic information about rules: Name (name of the parsing rule), Description (description of the parsing rule), Tags (more info in the chapter Tags) and Built in (if the rule is integrated in the system).
Filter fields are above the table. Data may be filtered by any single column. In case of using filters above more columns, AND term is applied.
If you need to add a new parsing rule, click on the green plus icon in the main table in the upper right corner.
Enter following data into the prepared form:
- Name: name of the parsing rule,
- Description: description of the parsing rule,
- Blocks: rules in the visual editor Events processing in blockly.
Adding of the parsing rule is done by clicking on the Create button, canceling of the completed form and returning back to the main table is done by clicking on the Cancel button.
Editing of the classification can be started by clicking on the blue pencil icon, which is shown by every row. Integrated parsing rules with description “hardcoded parser” cannot be edited nor deleted.
Form identical with the form for adding of a new classification is now shown.
Change of the parsing rule is done by clicking on the save button, canceling of the completed form and return back to the main table is done by clicking on the Cancel button.
Deletion of a parsing rule is done by clicking on the red cross icon, which is shown by every row.
After clicking on the cross a new dialog window delete a parsing rule is opened and the name of the parsing rule to be deleted is shown for checking. To continue and delete the parsing rule, click on the yes button, to cancel, click on the no button.
For a better idea of how to create parsing rules, we have prepared a few functional examples of parsing rules for you:
- Amavis
- Apache web server
- Dell PowerConnect
- FortiMail
- FreeRADIUS
- Check Point Firewall
- Microsoft IIS
- Nginx
- Shorewall
- Sophos
- Spamassasin
- SQL
If you find out that you have device which is not showing data in Logmanager system correctly, it will be needed to create a parser which will process the data from the device, divide it to variables, proceeds with normalization of values and adds optional information. You can create this parser yourself with help of the documentation: Parsing rules.
If your device has option for logging in JSON, CEF, LEEF etc. formats, data is already structured and it only need to set a classificator to a suitable parser.
Information can be found here:
- example of JSON format parser: Decode JSON
- example of CEF format parser: Decode CEF
Another possibility is contact partner or a manufacturer of the Logmanager system to add support for this device. If it will be specific application, your Logmanager partner or manufacturer will give you an offer for specific parser creation. Contacts can be found here: https://www.logmanager.cz/en/#contacts
Information needed to create a parser:
- Information about device, software or manufacturer and specific version has to be available.
- A description of how to set up specific devices or software to send audit logs to the Logmanager server.
- Reference to the device or software documentation (documentation with description of auditing and examples of possible log messages).
- Export audit logs from the Logmanager server (export only raw field).