Video Screencast Help

Map Custom log flags to Symantec flags

Created: 20 Apr 2013 | 4 comments
andreas a's picture

Is there a way to map a custom log's flag to symantec values? I collect them through the generic syslog collector.

For example I have this log:

Description = date=2013-04-20 time=21:00:48 devname=papatza device_id=87979 log_id=0038000007 type=traffic subtype=other pri=warning vd=root src=x.x.x.x src_port=4565 src_int="internal" dst= dst_port=445 dst_int="wan1" SN=774772249 status=deny policyid=0 dst_country="Japan" src_country="United States" service=SMB proto=6 duration=0 sent=0 rcvd=0 msg="Denied by forward policy check"
How can I tell SSIM to map for example "service=SMB" to the SSIM's flag in order to parse these custom logs?
FYI this is a fortigate log.
Operating Systems:

Comments 4 CommentsJump to latest comment

Laurent_c's picture


If this is a fortigate log, you could use the Fortigate collector ? It will maps a lot of field better than the generic one ?


andreas a's picture

I uploaded to the server and I used it but with no luck.

I have set up Agent Configuration to listen to syslog 514 and put Foritnet Event Collector at the highest point. Then, at collector configuration, I have set up the sensor to listen at port 10526.

If I do this, I get no events...

Laurent_c's picture


Ok can you give mroe details on your configuration ?

SSIM Agent version ? 4.7.1 or 4.8 ?

SSIM Appliance ?

Have you setup the redirect config to agent and is it in sync ?

Have you added the filter from the utils folder after LU ?


andreas a's picture

I use 4.8 installed on a VM.

I don't have a collector installed at a different machine but in the SSIM itself. Regarding the next two questions I am not sure I understand what you are asking me. The only redirection I think is made through the agent configuration. Am I wrong?

Screen Shot 2013-04-27 at 22.50.31.png