This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Help with LSX XML File - Fortiweb 400C UDSM

Help with LSX XML File - Fortiweb 400C UDSM

cos
New Contributor

ā€Ž02-24-2015 05:04 PM

Hi,

I'm in the process of defining a LSX for FortiWeb device, which are current shown as unknown (UDSM) by Qradar.

Fortiweb 400C

Serial Number FV400C3M13000193

Firmware Version FortiWeb-400C 5.06,build0091,140212

Here is the XML file:









(.*)



EventName" xmlns="">\smsg\=\s.*?\s

SourceIp" xmlns="">\ssrc\=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s

SourcePort" xmlns="">\ssrc_port\=\d{1,5}\s

DestinationIp" xmlns="">\sdst\=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s

DestinationPort" xmlns="">\sdst_port\=\d{1,5}\s

Protocol" case-insensitive="true" xmlns="">\sproto\=(tcp|udp|icmp|gre)\s























It does not work. What am I doing wrong?

Thanks,



0 Kudos
1 REPLY 1

Aman_Ankit
New Contributor

ā€Ž05-05-2017 05:11 AM

Hi cos, I am working on something similar.
All I did was looked for a unique pattern for the EVENT NAME field. If that matches correctly, all other fields are parsed as expected.
0 Kudos
GTM-P2G8KFN