Planning and Considerations

1. Learn the accurate structure of the logs the device generates with these guides.
   1. The vendor logging guide, or other documentation that specifies the logs the device can generate and their structure. Documentation is important to make sure that you found all possible logs. Usually it is sufficient to write the parsing file.
   2. Log samples, as many as possible. Use logs generated from the actual devices to be used with SmartEvent. Samples are important to examine the parsing file and to tune it accordingly.
2. Learn and know the Free Text Parsing Language and the necessary parsing files and their location on the Log Server.
3. Compare existing parsing files of an equivalent product.
4. Select the fields to extract from the log. The fields to extract are different from one device to another. But devices of the same category usually have equivalent log fields. For example:

   Device Type	Typical Log Fields
   Firewall, router and other devices that send connection based logs	source IP address, destination IP address, source port, destination port, protocol, accept/reject indication
   IDS / IPS, application Firewall and other devices that send attack logs	attack name/ID