Message parsing in a network security system
First Claim
1. A method performed by a distributed agent of a network security system, the method comprising:
- accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log;
accessing a host-specific list of multiple parsers associated with the host identifier associated with the message;
the agent attempting to parse the message using a first parser in the host-specific list;
responsive to unsuccessful parsing using the first parser, attempting to parse the message using a second parser in the host-specific list;
responsive to unsuccessful parsing using all the parsers in the host-specific list;
attempting to parse the message using a parser in a comprehensive list of multiple parsers; and
responsive to successful parsing using the parser in the comprehensive list, adding the parser to the host-specific list.
11 Assignments
0 Petitions
Accused Products
Abstract
Device discovery can be made efficient using certain embodiments of the present invention. In one embodiment, the present invention includes accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log. Then a list of parsers associated with the host identifier associated with the message can be accessed and parsing the message using parsers from the list of parsers associated with the host identifier can be attempted. If the parsing is unsuccessful, a device type of an originator of the message can be discovered, and a parser associated with the discovered device type can be added to the list of parsers associated with the host identifier.
100 Citations
30 Claims
-
1. A method performed by a distributed agent of a network security system, the method comprising:
-
accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log; accessing a host-specific list of multiple parsers associated with the host identifier associated with the message; the agent attempting to parse the message using a first parser in the host-specific list; responsive to unsuccessful parsing using the first parser, attempting to parse the message using a second parser in the host-specific list; responsive to unsuccessful parsing using all the parsers in the host-specific list; attempting to parse the message using a parser in a comprehensive list of multiple parsers; and responsive to successful parsing using the parser in the comprehensive list, adding the parser to the host-specific list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A distributed agent for a network security system, the distributed agent comprising:
-
a log interface coupled to a message log to read a message and a host identifier of the sender of the message from the message log into the distributed agent; a parser database stored on a non-transitory machine-readable medium containing a host-specific list of multiple parsers associated with the host identifier; an event builder module coupled to the log interface and the parser database to attempt to parse the message using a first parser from the host-specific list of multiple parsers, and responsive to unsuccessful parsing using the first parser, the event builder configured to parse the message using a second parser in the host-specific list; and a device detection module to attempt to parse the message using a parser in a comprehensive list of multiple parsers in case the attempted parsing using the parsers in the host-specific list is unsuccessful for all parsers, and responsive to successfully parsing the message with a parser in the comprehensive list, the device detection module configured to add the parser to the host-specific list. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory machine-readable medium having stored thereon data representing instructions that, when executed by a processor, cause the processor to perform operations comprising:
-
accessing a message in a message log, wherein the message log associates a host identifier with the message, the host identifier being an identifier of a host that sent the message to the message log; accessing a host-specific list of multiple parsers associated with the host identifier associated with the message; attempting to parse the message using a first parser in the host-specific list; responsive to unsuccessful parsing using the first parser, attempting to parse the message using a second parser in the host-specific list; responsive to unsuccessful parsing using all the parsers in the host-specific list; attempting to parse the message using a parser in a comprehensive list of multiple parsers; and responsive to successful parsing using the parser in the comprehensive list, adding the parser to the host-specific list. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification