Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here

Error while trying to add log source for third party alerts in 2.5.0.2 or prior versions

MVP
MVP
Problem:

Adding a log source for 3rd party alert processing requires to run add_new_log_sources.py script from Analyzer Cli to create vendor, category, format for the new log source.

 

We notice below error while trying to add log source for 3rd party alerts:

Lets take for example, we are trying to add a 3rd party alert for Microsoft as vendor and encountered below error:



Diagnostics:

Prior to 2.5.0.2 version:

Script to add log source for 3rd party alerts is in below format:
    
python add_new_log_sources.py vendor category format identifier source_type log_type
     
positional arguments are as below:

vendor Vendor of log source (e.g. Microsoft)
category Category of log source (e.g. dhcp)
format Format of log source (e.g. standard)
identifier Identifier of log source (e.g. Win_DHCP)
source_type Source Type of the log source (e.g syslog)
log_type Log type of log source (e.g. log_dhcp) (optional)

 

From 2.5.0.2
     
Script to add log source for 3rd party alerts should be in below format:

python add_new_log_sources.py  vendor  category  format  identifier  source_type  output_type  log_type

positional arguments are as below:

vendor Vendor of log source (e.g. Microsoft)
category Category of log source (e.g. dhcp)
format Format of log source (e.g. standard)
identifier Identifier of log source (e.g. Win_DHCP)
source_type Source Type of the log source (e.g syslog)
output_type Output type of log (e.g vpnlog)
log_type Log type of log source (e.g. log_dhcp) (optional)



Solution

Using the script which includes output type of log, we should be able to add the log source for 3rd party alerts:

 

Post executing the above script, we should now see the vendor, category, format as options under Menu → Configuration → Log sources → Add new log source page.

Version history
Revision #:
1 of 1
Last update:
‎08-04-2020 08:37 PM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: