SIEM & UEBA

Expand all | Collapse all

Problem Using Mcafee Parser XML

  • 1.  Problem Using Mcafee Parser XML

    Posted 29 days ago
    Greetings community.

    Someone had an error modifying the McafeeXMLParser parser.

    I have been doing several tests but it always gives me the error of:

    Error on line 20 at column 35: Opening and ending tag mismatch: root line 0 and collectAndSetAttrByKeyValuePair.


    ######################​
    <patternDefinitions>
    <pattern name="patXml"><![CDATA[<EE_Event>.*</EE_Event>|<UpdateEvent>.*</UpdateEvent>|<EPOevent>.*</EPOevent>]]></pattern>
    </patternDefinitions>
    <eventFormatRecognizer><![CDATA[\s<:gPatHostName>\s+EPOEvents - .+?<:patXml>]]></eventFormatRecognizer>
    <parsingInstructions>
    <collectFieldsByRegex src="$_rawmsg">
    <regex><![CDATA[<:gPatSyslogPRI>\d+\s+<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>\.\d+<_tz:gPatTimeZone>\s+(?:<reptDevIpAddr:gPatIpAddr>|<reptDevName:gPatHostName>)\s+EPOEvents\s+.*?\<MachineInfo\><_body:gPatMesgBody>\</MachineInfo\>]]></regex>
    </collectFieldsByRegex>
    <setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute>
    <setEventAttribute attr="eventType">McAfee-EPO-Generic</setEventAttribute>
    <collectAndSetAttrByKeyValuePair sep=" " src="$_body">
    <attrKeyMap attr="machineGUID" key="1"/>
    <attrKeyMap attr="version" key="2"/>
    <attrKeyMap attr="_id" key="3"/>
    <attrKeyMap attr="hostIpAddr" key="4"/>
    <attrKeyMap attr="hostName" key="5"/>
    <attrKeyMap attr="hostMACAddr" key="6"/>
    <attrKeyMap attr="osName" key="7"/>
    <attrKeyMap attr="user" key="8"/>
    </collectAndSetAttrByKeyValuePair>
    <when test="exist _id">
    <setEventAttribute attr="eventType">combineMsgId("McAfee-EPO-", $_id)</setEventAttribute>
    </when>
    </parsingInstructions>

    ######################

    as I observe the error is located in the yellow strip. But I see that the variables are closed and open correctly.

    Did someone go through the same thing?


  • 2.  RE: Problem Using Mcafee Parser XML

    Posted 23 days ago
    Carlos,

    The original parser has this line:

    <collectAndSetAttrByKeyValuePair sep=" src="$_body">

    Your has:

    <collectAndSetAttrByKeyValuePair sep=" " src="$_body">


  • 3.  RE: Problem Using Mcafee Parser XML

    Posted 12 days ago
    Greetings,

    That's how it is. I measured it for testing.

    I have been testing the parser but with the default configuration it throws an error.

    Below I attach the default configuration:


    when reforming the code, it throws the error indicated above.


  • 4.  RE: Problem Using Mcafee Parser XML

    Posted 12 days ago
    Carlos,

    I don't understand what you mean by "That's how it is. I measured it for testing."  The original parser and your parser are different on that line.  The original is sep=" and yours is sep=" ".  I suspect there is an issue with the interpretation of the new " you have added.  Can you post a sample of the log you are working with?  Also in the screenshot above, can you post it not showing the error box?  I'd like to see the color coding there to see if the line is formatted correctly.

    Thanks,

    Karn


  • 5.  RE: Problem Using Mcafee Parser XML

    Posted 12 days ago
    Carlos,

    I think I see what you mean. Try this:

    Clone the original.  Add the change so it reads:
    <collectAndSetAttrByKeyValuePair sep=" " src="$_body">
    Highlight all the text and perform a Ctrl-C to copy it.  Then hit "Clear XML". Ctrl-V paste the copied text back into the screen.  Hit Reformat.  Hit Validate. 

    I was able to get the cloned parser to Validate that way:





  • 6.  RE: Problem Using Mcafee Parser XML

    Posted 12 days ago
    Hello excellent.

    Thank you very much, there is just the solution. It already allows me to validate and save.

    Problem solved.