Creating a Custom Parser

You should have:

  • examples of the logs that you want to parse.
  • created any new device/application types, event attribute types, or event types that you want to use in your XML specification.
  • already written the XML specification for your parser.
  • prepared a test event that you can use to validate the parser.

Parsers are applied in the order they are listed in ADMIN > Device Support > Parsers, so it is important to add your custom parser to the list in relation to any other parsers that may be applied to your device logs. If you click Fix Order, this will arrange the parsers with system-defined parsers at the top of the list in their original order, and user-defined parsers at the bottom. Be sure to click Apply to ensure the change in order is picked up by the back-end module.

Note: Custom parsers can be created only from the Super/Global account in Service Provider FortiSIEM deployments.

  1. Go to ADMIN > Device Support > Parsers.
  2. Select a parser that is above the location in the list where you want to add your parser, and click New.
  3. Enter a Name for the parser. 
  4. Select a Device Type from the drop-down list to which the parser should apply.
    If the device type doesn't appear in the menu, you should create a new device type.
  5. Enter a Test containing an example of an event that you want to use to validate the parser.
  6. Enter the Parser XML.
  7. Click Validate.
    This will validate the XML.
  8. Click Test
    This will send the test event to the parser to make sure it is parsed correctly, and will also test the parsers above and below yours in the list to make sure they continue to parse logs correctly.
  9. If the XML for your parser validates and the test event is correctly parsed, select Enable.
    If you must continue working on your parser, you can Save it without selecting Enable
  10. Add a Description of the Parser.
  11. Click Save.
  12. Click Apply to have the back-end module pick up your parser and begin applying it to device logs. 
    You should now validate that events are being parsed by creating some activity that will cause a log to be generated, and then run a query against the new device IP address and validate the parsed results. 

Cloning New Parsers

You can clone an existing parser and then use it as the basis for creating a new one. Select the parser you want to clone, and then click Clone. Modify the parser as necessary, and then make sure you use the Up and Down buttons to place it in the list of parsers at the point at which is should be applied.