Help with LSX XML File - Fortiweb 400C UDSM

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered


I'm in the process of defining a LSX for FortiWeb device, which are current shown as unknown (UDSM) by Qradar.

Fortiweb 400C

Serial Number FV400C3M13000193

Firmware Version FortiWeb-400C 5.06,build0091,140212

Here is the XML file:


<?xml version="1.0" encoding="UTF-8"?>



Author:                 Acuntia COS <>

Device Type:            Fortiweb 400C (FortiNet)

Device Version:         5.06,build0091,140212

Protocol:               Syslog



<device-extension xmlns="event_parsing/device_extension">

      <!-- Do not remove the "allEventNames" value -->

      <pattern id="allEventNames" xmlns=""><![CDATA[(.*)]]></pattern>

      <!-- Everything below this line can be modified -->

      <pattern id="EventName" xmlns=""><![CDATA[\smsg\=\s.*?\s]]></pattern>

      <pattern id="SourceIp" xmlns=""><![CDATA[\ssrc\=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s]]></pattern>

      <pattern id="SourcePort" xmlns=""><![CDATA[\ssrc_port\=\d{1,5}\s]]></pattern>

      <pattern id="DestinationIp" xmlns=""><![CDATA[\sdst\=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s]]></pattern>

      <pattern id="DestinationPort" xmlns=""><![CDATA[\sdst_port\=\d{1,5}\s]]></pattern>

      <pattern id="Protocol" case-insensitive="true" xmlns=""><![CDATA[\sproto\=(tcp|udp|icmp|gre)\s]]></pattern>

      <match-group order="1" description="Log Source Extension" xmlns="">

            <matcher field="EventName" order="1" pattern-id="EventName" capture-group="1" enable-substitutions="false"/>

            <matcher field="SourceIp" order="1" pattern-id="SourceIp" capture-group="1" />

            <matcher field="SourcePort" order="1" pattern-id="SourcePort" capture-group="1" />

            <matcher field="DestinationIp" order="1" pattern-id="DestinationIp" capture-group="1" />

            <matcher field="DestinationPort" order="1" pattern-id="DestinationPort" capture-group="1" />

            <matcher field="Protocol" order="1" pattern-id="Protocol" capture-group="1" />

            <event-match-multiple pattern-id="allEventNames" capture-group-index="1" device-event-category="unknown" send-identity="OverrideAndNeverSend" />




It does not work. What am I doing wrong?



Photo of cos


  • 212 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Aman Ankit

Aman Ankit

  • 60 Points
Hi cos, I am working on something similar.
All I did was looked for a unique pattern  for the EVENT NAME field. If that matches correctly, all other fields are parsed as expected.