STRM - How do you build a LSX for snmp data?

‎02-01-2011 11:45 PM



I'm trying to build a log source extension for Symantec AV ScanEngine. What troubles me is the fact that the log data is delivered via snmp. In the event viewer the payload looks like this:


The scanning feature seems to be hung or the scan engine is overloaded.    1344    1541514    Warning




There was an error running content update, scanning will continue using the original definitions    1344    Virus definitions    Scanner not initialised    LiveUpdate    1513397    Error


I don't have a clue how to define the values in the LSX for that sort of data, as there're no "headers" like 'src-ip:' or anything similar.


I've tried to define the values in the LSX using parts of the OID values from the raw event data I've captured with tcpdump (see below e.g.), but that doesn't work.

. enterpriseSpecific s=30 1542197 
."There was an error running content update, scanning will continue using the original definitions" ."" . ."Virus definitions" ."Scanner not initialised" ."LiveUpdate" . ."Error" 


Can you guys give me any hints as to how to get a grip on that?

Or - if I'm very lucky - maybe one of you already built a LSX for the Symantec AV ScanEngine? Or at least for a product sending similar data? Would you be so kind to share your LSX?







Re: STRM - How do you build a LSX for snmp data?

[ Edited ]
‎08-21-2012 12:27 AM

Hi guys!


One and a half years later and my issue still exists...

Does anybody in the meantime encounter the same issue and found a solution for it?

I'd really appreciate any help!





Re: STRM - How do you build a LSX for snmp data?

‎10-04-2012 06:27 AM

I've been trying to get extensions to work too on 2012.1 but am struggling.  I would have though it would look something like this -


replace the word REGEX with your expression i.e. ^(.*)$ and try and seperate them down into capture groups to select each field.



<?xml version="1.0" encoding="UTF-8"?>
<device-extension xmlns="event_parsing/device_extension">
<pattern case-insensitive="true" id="SymantecAVOverload" xmlns=""><![CDATA[REGEX]]></pattern>
<pattern case-insensitive="true" id="SymantecAVUpdateError" xmlns=""><![CDATA[REGEX]]></pattern>
<matcher field="SymantecAVEngineMessage" order="1" pattern-id="SymantecAVOverload" capture-group="1" enable-substitutions="true" />
<matcher field="SymantecAVEngineIP" order="1" pattern-id="SymantecAVOverload" capture-group="2" enable-substitutions="true" />
<matcher field="SymantecAVEngineEvent" order="1" pattern-id="SymantecAVOverload" capture-group="3" enable-substitutions="true" />
<matcher field="SymantecAVEngineDefs" order="1" pattern-id="SymantecAVOverload" capture-group="4" enable-substitutions="true" />
<matcher field="SymantecAVEngineStatus" order="1" pattern-id="SymantecAVOverload" capture-group="5" enable-substitutions="true" />
<matcher field="SymantecAVUpdateMessage" order="1" pattern-id="SymantecAVUpdateError" capture-group="1" enable-substitutions="true" />
<matcher field="SymantecAVUpdateIP" order="1" pattern-id="SymantecAVUpdateError" capture-group="2" enable-substitutions="true" />
<matcher field="SymantecAVUpdateEvent" order="1" pattern-id="SymantecAVUpdateError" capture-group="3" enable-substitutions="true" />
<matcher field="SymantecAVUpdateCat" order="1" pattern-id="SymantecAVUpdateError" capture-group="4" enable-substitutions="true" />
<matcher field="SymantecAVUpdateScanner" order="1" pattern-id="SymantecAVUpdateError" capture-group="5" enable-substitutions="true" />
<matcher field="SymantecAVUpdateProgram" order="1" pattern-id="SymantecAVUpdateError" capture-group="6" enable-substitutions="true" />
<matcher field="SymantecAVUpdateDefs" order="1" pattern-id="SymantecAVUpdateError" capture-group="7" enable-substitutions="true" />
<matcher field="SymantecAVUpdateStatus" order="1" pattern-id="SymantecAVUpdateError" capture-group="8" enable-substitutions="true" />