Kaseya Community

Log Parser Issues

  • Kaseya 6.2 Server - I'm trying to create a log parser and am running into troubles. I opened a ticket with Kaseya but got shuffled off to "Development", whatever that means.

    So, I've been doing some testing on my own by reducing my log parser to some basics and using the Log Parser Tool mentioned elsewhere in the forums. The "Configuring Log Parsers Step by Step" instructions for Log Parsers says to use the "%" to skip unneeded text but, near as I can tell, that doesn't work. Here's a simple example:

    Simple Log file -

    Malwarebytes' Anti-Malware 1.51.1.2000
    www.malwarebytes.org

    Database version: 7718

    Simple Parser Definition that passes the Parse Test -

    Malwarebytes' Anti-Malware $strMalwareVersion$
    $strWeblink$

    Database version: $intDBVersion$

    However, changing the parser by adding a "%" sign to skip the URL in the log, for example, fails the test (even with the removal of the URL parameter definition) -

    Malwarebytes' Anti-Malware $strMalwareVersion$
    %

    Database version: $intDBVersion$

    Can someone point out what I might be doing wrong? Am I using the percent symbol improperly?

  • Here is my Malwarebytes log parser template. This passes the Log Parser Tool, but YMMV. I've only applied it to a handful of machines and so far none have had infections, so I'm not certain if it will pickup the objects yet.

    -----

    %Anti-Malware $MBAMVersion$

    www.malwarebytes.org

    Database version: $dbVersion$

    $Windows_Version$

    $IE_Version$

    $Time$

    $mbam_log$

    Scan type: $scan_type$

    Objects scanned: $objects_scanned$

    Time elapsed: $elapsed_time$

    Memory Processes Infected: $mem_procs_inf$

    Memory Modules Infected: $mem_mods_inf$

    Registry Keys Infected: $reg_keys_inf$

    Registry Values Infected: $reg_vals_inf$

    Registry Data Items Infected: $reg_data_inf$

    Folders Infected: $folders_inf$

    Files Infected: $files_inf$

    ------

  • Thanks for posting that one. I've been doing a lot of testing and basically that's what I've ended up with as well but while it passes the testing tool it doesn't actually work - on my system anyway. There seem to be some issues with log parsing in 6.2 and it's terribly finicky as you can see from the simple example I posted. Support called me on my ticket this morning but was too busy to work on it and was supposed to call me back this afternoon but didn't. I hope to hear from them tomorrow.

  • Also, I forgot to mention, there's more to the log file than your template will read. There's more detail in the log file about exactly which items were found. I have not been able to find any way to get that detail into the template and have it pass the testing tool. I can only get it to accept as much as you do in your template.

  • Yeah I had to remove those extra lines from my template or the parser tool failed to process it. I figured at least knowing that something was found would be a good start. I suspect the issue is that malwarebytes writes the logfile with space (unicode maybe?) and the parser can't interpret the file name. Are you using the Log File Path or the Log Archive Patch? Are you using a wildcard in the file name? I'm using mbam-log-*.txt but noticed the files really look like this: mbam-log-2011-09-21 (21-56-36).txt so there are spaces in the file name. I think the parser chokes on the spaces.  

  • I think I just figured out my issue. I've added all my parameter variables to a single parser set and based on this post (community.kaseya.com/.../what-support-do-i-need-to-diagnose-log-parser-problems.aspx) the variables are all "ANDed" together which means every criteria would need to be met. I'm going to try creating separate sets for each variable and see if that gives better results.

  • I have different parser sets for each parameter I wanted to alert on but that doesn't work either. Good idea on the file name. That might have something to do with the parser not working. I'll have to do some more testing with different file names.

  • Ok. Just so you know. Mine is working correctly now that I have each object result in a different parser set. I have the Log Path and Log Archive Path both set, but when I had only the Log Path set it still worked.

  • Well, dang it! I'm happy for you but am wondering what's going on here. I do have the log path set but not the log archive path. Here's my current template - let me know if you see some glaring error here. It passes the test tool, though:

    Malwarebytes% Anti-Malware $intMVersion$
    $strURL$

    Windows $strWinVersion$
    Internet Explorer $strIEVersion$

    $strDate$
    $strFileName$

    Scan type: $strScanType$
    Objects scanned: $strObjectsScanned$
    Time elapsed: $strScanDuration$

    Memory Processes Infected: $intMemProcessesInfected$
    Memory Modules Infected: $intMemModulesInfected$
    Registry Keys Infected: $intRegKeysInfected$
    Registry Values Infected: $intRegValuesInfected$
    Registry Data Items Infected: $intRegDataItemsInfected$
    Folders Infected: $intFoldersInfected$
    Files Infected: $intFilesInfected$

  • I tried modifying the log archive path but get this error when trying toi save it - I'm logged onto the console as "Administrator".

    The page cannot be displayed

    There is a problem with the page you are trying to reach and it cannot be displayed.

    HTTP 500.100 - Internal Server Error - ASP error
    Internet Information Services


    • Error Type:
      Microsoft JScript runtime (0x-7ff5ffba)
      Permission denied
      /MonitorTab/logParserManager.inc, line 112

       

    • Browser Type:
      Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3; MS-RTC LM 8)

       

    • Time:
      Thursday, September 22, 2011 7:58:18 AM

       

  • And here's the error in a client procedure log -

    8:09:57 am 22-Sep-11  LOGPARSER$366581942352422 Success THEN  Administrator

    8:09:53 am 22-Sep-11  null MessageSys: This scheduled event is associated with a script (ID= 78855721 ) definition that has been deleted. Remaining schedules for the deleted script will be purged.  Administrator

    8:09:53 am 22-Sep-11  LOGPARSER$366581942352422 Failed in the if step  Administrator

    8:09:53 am 22-Sep-11  LOGPARSER$366581942352422 FAILED to load LOGPARSER$366581942352422 (ID = 78855721). Error: Script Not Found  Administrator

  • And, here's the log parser XML file. I note that it did save my change to the Log Archive Path...

    <?xml version="1.0" encoding="ISO-8859-1" ?>
    <LogParser version="1.0" AgentID="366581942352422">
     <LogParserDef ID="4">
      <Params>
       <Param Name="intMVersion" Type="int" ParamID="58" />
       <Param Name="strURL" Type="string" ParamID="59" />
       <Param Name="strWinVersion" Type="string" ParamID="60" />
       <Param Name="strIEVersion" Type="string" ParamID="61" />
       <Param Name="strDate" Type="string" ParamID="62" />
       <Param Name="strFileName" Type="string" ParamID="63" />
       <Param Name="strScanType" Type="string" ParamID="64" />
       <Param Name="strObjectsScanned" Type="string" ParamID="65" />
       <Param Name="intMemProcessesInfected" Type="int" ParamID="66" />
       <Param Name="intMemModulesInfected" Type="int" ParamID="67" />
       <Param Name="intRegValuesInfected" Type="int" ParamID="68" />
       <Param Name="intRegDataItemsInfected" Type="int" ParamID="69" />
       <Param Name="intFoldersInfected" Type="int" ParamID="70" />
       <Param Name="strScanDuration" Type="string" ParamID="71" />
       <Param Name="intRegKeysInfected" Type="int" ParamID="72" />
       <Param Name="intFilesInfected" Type="int" ParamID="73" />
      </Params>
      <Templates MultiLine="1">
       <Template>Malwarebytes% Anti-Malware $intMVersion${nl}$strURL${nl}{nl}Windows $strWinVersion${nl}Internet Explorer $strIEVersion${nl}{nl}$strDate${nl}$strFileName${nl}{nl}Scan type: $strScanType${nl}Objects scanned: $strObjectsScanned${nl}Time elapsed: $strScanDuration${nl}{nl}Memory Processes Infected: $intMemProcessesInfected${nl}Memory Modules Infected: $intMemModulesInfected${nl}Registry Keys Infected: $intRegKeysInfected${nl}Registry Values Infected: $intRegValuesInfected${nl}Registry Data Items Infected: $intRegDataItemsInfected${nl}Folders Infected: $intFoldersInfected${nl}Files Infected: $intFilesInfected$</Template>
      </Templates>
      <LogPaths>
       <CurrentPath>c:\kworking\scan_logs\*.txt</CurrentPath>
       <BackupPath>c:\kworking\scan_logs\*.txt</BackupPath>
      </LogPaths>
      <CollectionDef>
       <ConditionSet>
         <Condition Param="intFilesInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
       <ConditionSet>
         <Condition Param="intFoldersInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
       <ConditionSet>
         <Condition Param="intRegValuesInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
       <ConditionSet>
         <Condition Param="intMemModulesInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
       <ConditionSet>
         <Condition Param="intMemProcessesInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
       <ConditionSet>
         <Condition Param="intRegDataItemsInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
       <ConditionSet>
         <Condition Param="intRegKeysInfected" Operator="NotEqual" Value="0" />
       </ConditionSet>
      </CollectionDef>
      <Alarms>
       <AlarmDef ID="16" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intFilesInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
       <AlarmDef ID="17" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intFoldersInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
       <AlarmDef ID="22" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intRegValuesInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
       <AlarmDef ID="21" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intMemModulesInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
       <AlarmDef ID="20" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intMemProcessesInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
       <AlarmDef ID="19" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intRegDataItemsInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
       <AlarmDef ID="18" Duration="0" EventCount="1" ReArm="86400">
        <ConditionSet>
         <Condition Param="intRegKeysInfected" Operator="NotEqual" Value="0" />
        </ConditionSet>
       </AlarmDef>
      </Alarms>
     </LogParserDef>
    </LogParser>

  • How did you export the XML? that would be very helpful. I noticed in your parser template you don't have the Database Version line after the URL. Check your logs and see if MBAm is writing that. That might throw off the template. Also in my parser sets I have the objects infected values as integers and set it to check if it's OVER 0. I guess it doesn't matter, but that is how I did it.

  • I exported the XML file by first finding the Log Parser number from the agent procedure log - in my case that number is - LOGPARSER$366581942352422. The XML file is found on the server in the Kaseya directory "\UserProfiles" and, in my case, was in the subdirectory "366581942352422\Monitor".

    Nice catch. I did somehow miss the Database Version variable in this incarnation of the parser. Just tried a new one with that variable back in there and still get errors when trying to save it so I guess there's still an issue somewhere here.

  • It's a month later and I'm still having issues with Kaseya Log Parsers not functioning correctly. I do have an open ticket on this issue:

    The page cannot be displayed

    There is a problem with the page you are trying to reach and it cannot be displayed.

    HTTP 500.100 - Internal Server Error - ASP error

    Internet Information Services

    --------------------------------------------------------------------------------

    ◦Error Type:

    Microsoft JScript runtime (0x-7ff5ffba)

    Permission denied

    /MonitorTab/logParserManager.inc, line 112