Help with LSX XML File - Fortiweb 400C UDSM

cos — Wed, 25 Feb 2015 01:04:00 GMT

Hi,

I'm in the process of defining a LSX for FortiWeb device, which are current shown as unknown (UDSM) by Qradar.

Fortiweb 400C

Serial Number FV400C3M13000193

Firmware Version FortiWeb-400C 5.06,build0091,140212

Here is the XML file:

(.*)

EventName" xmlns="">\smsg\=\s.*?\s

SourceIp" xmlns="">\ssrc\=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s

SourcePort" xmlns="">\ssrc_port\=\d{1,5}\s

DestinationIp" xmlns="">\sdst\=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s

DestinationPort" xmlns="">\sdst_port\=\d{1,5}\s

Protocol" case-insensitive="true" xmlns="">\sproto\=(tcp|udp|icmp|gre)\s

It does not work. What am I doing wrong?

Thanks,

RE: Help with LSX XML File - Fortiweb 400C UDSM

Aman_Ankit — Fri, 05 May 2017 12:11:00 GMT

Hi cos, I am working on something similar.
All I did was looked for a unique pattern for the EVENT NAME field. If that matches correctly, all other fields are parsed as expected.

topic Help with LSX XML File - Fortiweb 400C UDSM in Scripting

Help with LSX XML File - Fortiweb 400C UDSM

RE: Help with LSX XML File - Fortiweb 400C UDSM