Parsing rules
Parsing rules solve work with messages, which are coming to the Logmanager. Every message must go thru a parsing rule. Parsing rule can extend the message for a new attributes created based on the processed message. Logmanager includes a set of internal parsing rules, which can be used to process messages. It is also possible to create your own rules with arbitrary rules including processing of regular expressions.
Base parsing rule is, for example, conversion of a message in JSON format. Input data is decoded to individual variables containing data and then is saved to the system.
Example of parsing rule
Parsing rules are created with Events processing in blockly.
Table shows basic information about rules: Name (name of the parsing rule), Description (description of the parsing rule), Tags (more info in the chapter Tags) and Built in (whether the rule is integrated in the system).
Filter fields are above the table. Data may be filtered by any single column. In case of using filters above more columns, the AND term is applied.
Parsing rules
If you need to add a new parsing rule, click the green plus icon in the main table in the upper right corner.
Adding a parsing rule
Enter following data into the prepared form:
- Name of the parsing rule,
- Description of the parsing rule,
- Blocks - rules in the visual editor Events processing in blockly.
Editing the classification can be started by clicking the blue pencil icon, which is shown by every row. Integrated parsing rules with description “hardcoded parser” cannot be edited nor deleted.
Editing a parsing rule
Form identical to the form for adding of a new classification is now shown.
The deletion of a parsing rule is done by clicking the red cross icon, which is shown by every row.
Deleting a parsing rule
For a better idea of how to create parsing rules, we have prepared a few functional examples of parsing rules for you:
- Amavis
- Apache web server
- Dell PowerConnect
- FortiMail
- FreeRADIUS
- Check Point Firewall
- Microsoft IIS
- Nginx
- Shorewall
- Sophos
- Spamassasin
- SQL
If you find out that you have a device which is not showing data in the Logmanager system correctly, you will need to create a parser which will process the data from the device, divide it to variables, proceed with normalization of values and add optional information. You can create this parser yourself with help of the Parsing rules documentation.
If your device has an option for logging in JSON, CEF, LEEF etc. formats, data is already structured and it only need to set a classificator to a suitable parser.
Information can be found here:
- example of JSON format parser: Decode JSON
- example of CEF format parser: Decode CEF
Another possibility is to contact your partner or a manufacturer of the Logmanager system to add support for this device. If it is a specific application, your Logmanager partner or manufacturer will give you an offer for specific parser creation. Contacts can be found here: https://logmanager.com/partners/
Information needed to create a parser:
- Information about the device, software or manufacturer and specific version has to be available.
- A description of how to set up specific devices or software to send audit logs to the Logmanager server.
- Reference to the device or software documentation (documentation with description of auditing and examples of possible log messages).
- Export audit logs from the Logmanager server (export only raw field).