Help Needed with XML FlexConnector Parser Configuration for Custom Logs

Hi ArcSight Community,

I am working on developing a custom XML FlexConnector parser to handle event logs from a specific application. I have created the parser configuration file, but I need assistance with validating the mappings, token types, and overall configuration to ensure it captures and categorizes events correctly.

Below is a sample of the XML content I am working with, and I have changed the data to dummy values without altering the format:

```xml
<?xml version="1.0"?>
<Sag:EventLogList xmlns:Sag="urn:swift:sag:ns_Sag">
<Sag:EventLog>
<Sag:LogSysTime>01/01/2023 12:00:00.0000</Sag:LogSysTime>
<Sag:LogSequence>1234567</Sag:LogSequence>
<Sag:ApplicationId><![CDATA[dummy_app]]></Sag:ApplicationId>
<Sag:LogCorrelationId>ABC-1234-5678-90abcdef-123456-7890-10.0.0.1:12345-67890</Sag:LogCorrelationId>
<Sag:PlugInName>Sag:SN-I</Sag:PlugInName>
<Sag:EventNumber>2000</Sag:EventNumber>
<Sag:EventName>Response primitive sent</Sag:EventName>
<Sag:EventSeverity>Information</Sag:EventSeverity>
<Sag:EventClass>Message</Sag:EventClass>
<Sag:LogUnitName>None</Sag:LogUnitName>
<Sag:LogMessage><![CDATA[Response primitive sent.
Sent to Application: dummy_app (Interface: Sag:APL-I)
Primitive: ExchangeResponse
Payload size: 12345
Status: SUCCESS
RequestRef: SNL12345-2023-01-01T10:00:00.0000Z
Ref: swi12345-2023-01-01T10:00:00.0000Z
ResponseRef: snp12345-2023-01-01T10:00:00.0000Z
Responder: cn=dummy,cn=dummy_node,ou=dummy_ou,o=dummy_o
]]></Sag:LogMessage>
<Sag:LogProcess>dummy_process</Sag:LogProcess>
<Sag:RecordVersion>1</Sag:RecordVersion>
</Sag:EventLog>
</Sag:EventLogList>
```

Here is the parser configuration I have developed so far:

```properties
# Namespace Declarations
namespace.count=1
namespace[0].prefix=Sag
namespace[0].uri=urn:swift:sag:ns_Sag

# Token Declarations
token.count=14

token[0].name=LogSysTime
token[0].type=TimeStamp
token[0].format=dd/MM/yyyy HH:mm:ss.SSSS
token[0].expression=//Sag:EventLog/Sag:LogSysTime

token[1].name=LogSequence
token[1].type=Long
token[1].expression=//Sag:EventLog/Sag:LogSequence

token[2].name=ApplicationId
token[2].type=String
token[2].expression=//Sag:EventLog/Sag:ApplicationId

token[3].name=LogCorrelationId
token[3].type=String
token[3].expression=//Sag:EventLog/Sag:LogCorrelationId

token[4].name=PlugInName
token[4].type=String
token[4].expression=//Sag:EventLog/Sag:PlugInName

token[5].name=EventNumber
token[5].type=Integer
token[5].expression=//Sag:EventLog/Sag:EventNumber

token[6].name=EventName
token[6].type=String
token[6].expression=//Sag:EventLog/Sag:EventName

token[7].name=EventSeverity
token[7].type=String
token[7].expression=//Sag:EventLog/Sag:EventSeverity

token[8].name=EventClass
token[8].type=String
token[8].expression=//Sag:EventLog/Sag:EventClass

token[9].name=LogUnitName
token[9].type=String
token[9].expression=//Sag:EventLog/Sag:LogUnitName

token[10].name=LogMessage
token[10].type=String
token[10].expression=//Sag:EventLog/Sag:LogMessage

token[11].name=LogProcess
token[11].type=String
token[11].expression=//Sag:EventLog/Sag:LogProcess

token[12].name=RecordVersion
token[12].type=Integer
token[12].expression=//Sag:EventLog/Sag:RecordVersion

token[13].name=SwiftRequestRef
token[13].type=String
token[13].expression=//Sag:EventLog/Sag:LogMessage

# Trigger Node
trigger.node.expression=//Sag:EventLog

# Mapping Tokens to ArcSight Fields
event.deviceVendor=SAG
event.deviceProduct=Swift
event.deviceEventClassId=$EventNumber
event.name=$EventName
event.severity=$EventSeverity
event.deviceReceiptTime=$LogSysTime
event.deviceCustomString1Label=ApplicationId
event.deviceCustomString1=$ApplicationId
event.deviceCustomString2Label=LogCorrelationId
event.deviceCustomString2=$LogCorrelationId
event.deviceCustomString3Label=PlugInName
event.deviceCustomString3=$PlugInName
event.deviceCustomString4Label=LogUnitName
event.deviceCustomString4=$LogUnitName
event.deviceCustomString5Label=LogProcess
event.deviceCustomString5=$LogProcess
event.deviceCustomString6Label=SwiftRequestRef
event.deviceCustomString6=$SwiftRequestRef
event.deviceCustomNumber1Label=LogSequence
event.deviceCustomNumber1=$LogSequence
event.deviceCustomNumber2Label=RecordVersion
event.deviceCustomNumber2=$RecordVersion

# Severity Mapping
severity.map.veryhigh.if.deviceSeverity=Severe
severity.map.high.if.deviceSeverity=Warning
severity.map.medium.if.deviceSeverity=Information
severity.map.low.if.deviceSeverity=Low

# Event Categorization
categorization.deviceVendor=SAG
categorization.deviceProduct=Swift

categorization.file=custom_mappings.csv

# Example content of custom_mappings.csv
# Place this file at ARCSIGHT_HOME/user/agent/acp/categorizer/current/sag/swift/custom_mappings.csv
# event.deviceEventClassId,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome
2000,/Host/Application/Service,/Communicate/Response,,/Application,/Informational,/Success
1000,/Host/Application/Service,/Communicate/Request,,/Application,/Informational,/Success
320,/Host/Application/Service,/Error,/Communication,/Warning,/Failure
5705,/Host/Application/Service,/Error,/Transport,/Warning,/Failure
```

I would appreciate any feedback on the configuration, particularly:

1. Correctness of token definitions and mappings to ArcSight fields.
2. Proper usage of severity mapping.
3. Accuracy of the event categorization and the example custom_mappings.csv content.
4. Any other best practices or improvements you might suggest.

Thank you for your assistance!

Tags:

  • i used this parser but for the log message i still can't make it [

    # ArcSight FlexConnector XML File Reader Configuration
    # Configuration for parsing XML files

    # Namespace
    namespace.count=1
    namespace[0].prefix=Sag
    namespace[0].uri=urn:swift:sag:ns_Sag

    # Hop Nodes
    hop.node.count=1
    hop.node[0].name=EventLogList
    hop.node[0].expression=/Sag:EventLogList

    # Trigger Node
    trigger.node.expression=$EventLogList/Sag:EventLog

    # Token Count
    token.count=13

    # Tokens
    token[0].name=LogSysTime
    token[0].type=TimeStamp
    token[0].expression=Sag:LogSysTime

    token[1].name=LogSequence
    token[1].type=Integer
    token[1].expression=Sag:LogSequence

    token[2].name=ApplicationId
    token[2].type=String
    token[2].expression=Sag:ApplicationId

    token[3].name=LogCorrelationId
    token[3].type=String
    token[3].expression=Sag:LogCorrelationId

    token[4].name=PlugInName
    token[4].type=String
    token[4].expression=Sag:PlugInName

    token[5].name=EventNumber
    token[5].type=String
    token[5].expression=Sag:EventNumber

    token[6].name=EventName
    token[6].type=String
    token[6].expression=Sag:EventName

    token[7].name=EventSeverity
    token[7].type=String
    token[7].expression=Sag:EventSeverity

    token[8].name=EventClass
    token[8].type=String
    token[8].expression=Sag:EventClass

    token[9].name=LogUnitName
    token[9].type=String
    token[9].expression=Sag:LogUnitName

    token[10].name=LogMessage
    token[10].type=String
    token[10].expression=Sag:LogMessage

    token[11].name=LogProcess
    token[11].type=String
    token[11].expression=Sag:LogProcess

    token[12].name=RecordVersion
    token[12].type=Integer
    token[12].expression=Sag:RecordVersion

    # Event Mappings
    event.deviceCustomDate1=LogSysTime
    event.deviceCustomDate1Label=__stringConstant(LogSysTime)
    event.deviceCustomNumber1=LogSequence
    event.deviceCustomNumber1Label=__stringConstant(LogSequence)
    event.deviceEventClassId=LogCorrelationId
    event.deviceCustomString1=PlugInName
    event.deviceCustomString1Label=__stringConstant(PlugInName)
    event.externalId=EventNumber
    #event.deviceCustomString2=EventName
    #event.deviceCustomString2Label=__stringConstant(EventName)
    event.deviceCustomString3=EventSeverity
    event.deviceCustomString3Label=__stringConstant(EventSeverity)
    event.deviceCustomString4=EventClass
    event.deviceCustomString4Label=__stringConstant(EventClass)
    event.deviceCustomString5=LogUnitName
    event.deviceCustomString5Label=__stringConstant(LogUnitName)
    event.message=LogMessage
    event.deviceCustomString6=LogProcess
    event.deviceCustomString6Label=__stringConstant(LogProcess)
    event.deviceCustomNumber3=RecordVersion
    event.deviceCustomNumber3Label=__stringConstant(RecordVersion)
    event.name=EventName
    event.deviceVendor=__stringConstant(SAG)
    event.deviceProduct=__stringConstant(Swift)
    #event.name=__concatenate(EventNumber, __stringConstant(" - "), EventName)]

  • Hi  

    Give this a try instead:

    # ArcSight FlexConnector XML File Reader Configuration
    # Configuration for parsing XML files


    # Namespace
    namespace.count=1
    namespace[0].prefix=Sag
    namespace[0].uri=urn:swift:sag:ns_Sag

    # Hop Nodes
    hop.node.count=1
    hop.node[0].name=EventLogList
    hop.node[0].expression=/Sag:EventLogList

    # Trigger Node
    #trigger.node.expression=$EventLogList/Sag:EventLog
    trigger.node.expression=//Sag:EventLog

    # Token Count
    token.count=13

    # Tokens
    token[0].name=LogSysTime
    token[0].type=TimeStamp
    token[0].expression=Sag:LogSysTime

    token[1].name=LogSequence
    token[1].type=Integer
    token[1].expression=Sag:LogSequence

    token[2].name=ApplicationId
    token[2].type=String
    token[2].expression=Sag:ApplicationId

    token[3].name=LogCorrelationId
    token[3].type=String
    token[3].expression=Sag:LogCorrelationId

    token[4].name=PlugInName
    token[4].type=String
    token[4].expression=Sag:PlugInName

    token[5].name=EventNumber
    token[5].type=String
    token[5].expression=Sag:EventNumber

    token[6].name=EventName
    token[6].type=String
    token[6].expression=Sag:EventName

    token[7].name=EventSeverity
    token[7].type=String
    token[7].expression=Sag:EventSeverity

    token[8].name=EventClass
    token[8].type=String
    token[8].expression=Sag:EventClass

    token[9].name=LogUnitName
    token[9].type=String
    token[9].expression=Sag:LogUnitName

    token[10].name=LogMessage
    token[10].type=String
    token[10].expression=Sag:LogMessage

    token[11].name=LogProcess
    token[11].type=String
    token[11].expression=Sag:LogProcess

    token[12].name=RecordVersion
    token[12].type=Integer
    token[12].expression=Sag:RecordVersion

    # Event Mappings
    event.deviceCustomDate1=LogSysTime
    event.deviceCustomDate1Label=__stringConstant(LogSysTime)
    event.deviceCustomNumber1=LogSequence
    event.deviceCustomNumber1Label=__stringConstant(LogSequence)
    event.deviceEventClassId=LogCorrelationId
    event.deviceCustomString1=PlugInName
    event.deviceCustomString1Label=__stringConstant(PlugInName)
    event.externalId=EventNumber
    #event.deviceCustomString2=EventName
    #event.deviceCustomString2Label=__stringConstant(EventName)
    event.deviceCustomString3=EventSeverity
    event.deviceCustomString3Label=__stringConstant(EventSeverity)
    event.deviceCustomString4=EventClass
    event.deviceCustomString4Label=__stringConstant(EventClass)
    event.deviceCustomString5=LogUnitName
    event.deviceCustomString5Label=__stringConstant(LogUnitName)
    event.message=LogMessage
    event.deviceCustomString6=LogProcess
    event.deviceCustomString6Label=__stringConstant(LogProcess)
    event.deviceCustomNumber3=RecordVersion
    event.deviceCustomNumber3Label=__stringConstant(RecordVersion)
    event.name=EventName
    event.deviceVendor=__stringConstant(SAG)
    event.deviceProduct=__stringConstant(Swift)
    #event.name=__concatenate(EventNumber, __stringConstant(" - "), EventName)]

  • kindly check this screenshoot as i got issue in seveiryt mapping and extract additional info from SAG:LOGMESSAGE as my parser configuration as follow : 

    [

    # ArcSight FlexConnector XML File Reader Configuration
    # Configuration for parsing XML files

    # Namespace
    namespace.count=1
    namespace[0].prefix=Sag
    namespace[0].uri=urn:swift:sag:ns_Sag

    # Hop Nodes
    hop.node.count=1
    hop.node[0].name=EventLogList
    hop.node[0].expression=/Sag:EventLogList

    # Trigger Node
    trigger.node.expression=//Sag:EventLog

    # Token Count
    token.count=22

    # Tokens
    token[0].name=LogSysTime
    token[0].type=TimeStamp
    token[0].format=dd/MM/yyyy HH:mm:ss.SSS
    token[0].expression=Sag:LogSysTime

    token[1].name=LogSequence
    token[1].type=Integer
    token[1].expression=Sag:LogSequence

    token[2].name=ApplicationId
    token[2].type=String
    token[2].expression=Sag:ApplicationId

    token[3].name=LogCorrelationId
    token[3].type=String
    token[3].expression=Sag:LogCorrelationId

    token[4].name=PlugInName
    token[4].type=String
    token[4].expression=Sag:PlugInName

    token[5].name=EventNumber
    token[5].type=String
    token[5].expression=Sag:EventNumber

    token[6].name=EventName
    token[6].type=String
    token[6].expression=Sag:EventName

    token[7].name=EventSeverity
    token[7].type=String
    token[7].expression=Sag:EventSeverity

    token[8].name=EventClass
    token[8].type=String
    token[8].expression=Sag:EventClass

    token[9].name=LogUnitName
    token[9].type=String
    token[9].expression=Sag:LogUnitName

    token[10].name=LogMessage
    token[10].type=String
    token[10].expression=Sag:LogMessage

    token[11].name=LogProcess
    token[11].type=String
    token[11].expression=Sag:LogProcess

    token[12].name=RecordVersion
    token[12].type=Integer
    token[12].expression=Sag:RecordVersion

    # Additional Tokens to split LogMessage
    token[13].name=Primitive
    token[13].type=String
    token[13].expression=substring-after(substring-before(Sag:LogMessage, '\n'), 'Primitive : ')

    token[14].name=PayloadSize
    token[14].type=String
    token[14].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'Payload size : '), '\n'), ' ')

    token[15].name=Status
    token[15].type=String
    token[15].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'Status : '), '\n'), ' ')

    token[16].name=SwiftRequestRef
    token[16].type=String
    token[16].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'SwiftRequestRef: '), '\n'), ' ')

    token[17].name=SwiftRef
    token[17].type=String
    token[17].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'SwiftRef: '), '\n'), ' ')

    token[18].name=SwiftResponseRef
    token[18].type=String
    token[18].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'SwiftResponseRef: '), '\n'), ' ')

    token[19].name=Requestor
    token[19].type=String
    token[19].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'Requestor: '), '\n'), ' ')

    token[20].name=Responder
    token[20].type=String
    token[20].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'Responder: '), '\n'), ' ')

    token[21].name=Service
    token[21].type=String
    token[21].expression=substring-after(substring-before(substring-after(Sag:LogMessage, 'Service: '), '\n'), ' ')

    # Event Mappings
    event.deviceCustomDate1=LogSysTime
    event.deviceCustomDate1Label=__stringConstant(LogSysTime)
    event.deviceCustomNumber1=LogSequence
    event.deviceCustomNumber1Label=__stringConstant(LogSequence)
    event.deviceEventClassId=LogCorrelationId
    event.deviceCustomString1=PlugInName
    event.deviceCustomString1Label=__stringConstant(PlugInName)
    event.externalId=EventNumber
    event.deviceCustomString3=EventSeverity
    event.deviceCustomString3Label=__stringConstant(EventSeverity)
    event.deviceCustomString4=EventClass
    event.deviceCustomString4Label=__stringConstant(EventClass)
    event.deviceCustomString5=LogUnitName
    event.deviceCustomString5Label=__stringConstant(LogUnitName)
    event.message=LogMessage
    event.deviceCustomString6=LogProcess
    event.deviceCustomString6Label=__stringConstant(LogProcess)
    event.deviceCustomNumber3=RecordVersion
    event.deviceCustomNumber3Label=__stringConstant(RecordVersion)
    event.name=EventName
    event.deviceVendor=__stringConstant(SAG)
    event.deviceProduct=__stringConstant(Swift)

    # Mapping additional tokens
    event.applicationProtocol=Primitive
    event.devicePayloadId=PayloadSize
    event.deviceCustomString2=Status
    event.deviceCustomString2Label=__stringConstant(Status)
    event.fileId=SwiftRequestRef
    event.sourceUserName=Requestor
    event.destinationUserName=Responder
    #event.deviceCustomString7=Service
    #event.deviceCustomString7Label=__stringConstant(Service)

    # Severity Mappings
    severity.map.veryhigh.if.deviceSeverity=Severe,Critical
    severity.map.high.if.deviceSeverity=High,Major
    severity.map.medium.if.deviceSeverity=Medium,Warning
    severity.map.low.if.deviceSeverity=Low,Information,Info

    ]

  • i have issue in severity mapping as i got these error [[2024-06-23 10:39:56,290][INFO ][default.com.arcsight.agent.fu][logStatus] {AddrBasedSysZonePopEvents=9851359, AddrBasedSysZonePopRows=208, AddrBasedUsrZonePopCusts=1, AddrBasedUsrZonePopEvents=0, AddrBasedUsrZonePopRows=15, AddrBasedZonePopEvents=0, AddrBasedZonePopRows=136, AddrBasedZonePopRowsIPv6=72, AgentId=33EN7-I8BABDnEIh7Uiyd+Q==, AgentLocation=/All Connectors/SAG, AgentName=SAG_MAIN_XML_20, CategorizerCount=1, CategorizerCountConsole=0, CategorizerCountCustom=1, CategorizerCustomFiles=sag\swift.csv, CommandResponses Processed=29, Commands Processed=2, Comment=, Content Version (33EN7-I8BABDnEIh7Uiyd+Q==)=2020-06-15-19-40-47_8321, Current Drop Count=0, Device [sag-snl01.swf.cbl.gov.ly|192.168.201.20|ArcSight|ArcSight] eventcount=446, Device [||SAG|Swift] eventcount=9840928, DeviceLocation=MDC, Estimated Cache Size=9834093, First Command Processed=Sun Jun 23 10:15:55 EET 2024, First CommandResponse Processed=Sun Jun 23 10:15:55 EET 2024, First Global event Processed=Sun Jun 23 10:16:05 EET 2024, First GlobalCommandResponse Processed=Sun Jun 23 10:15:55 EET 2024, First Post-Aggregation Event Processed=Sun Jun 23 10:16:00 EET 2024, First Post-Filtering Event Processed=Sun Jun 23 10:15:58 EET 2024, Global events Processed=9842498, GlobalCommandResponses Processed=29, HostNameResolutionEnabled=true, Last Command Processed=Sun Jun 23 10:19:45 EET 2024, Last CommandResponse Processed=Sun Jun 23 10:38:56 EET 2024, Last Global event Processed=Sun Jun 23 10:39:56 EET 2024, Last GlobalCommandResponse Processed=Sun Jun 23 10:38:56 EET 2024, Last Post-Aggregation Event Processed=Sun Jun 23 10:39:56 EET 2024, Last Post-Filtering Event Processed=Sun Jun 23 10:39:56 EET 2024, LastModified=Sun Jun 09 12:11:27 EET 2024, M1CacheDropped=0, M1CacheSize=0, ModifiedBy=Mohamed_Elbeshti, NGCustomAdditionalDataMapper0=Generic mappings:(no mappings), NGCustomAdditionalDataMapper1=Mappings for ArcSight\ArcSight:(no mappings), NGCustomAdditionalDataMapper2=Mappings for SAG\Swift:(no mappings), NameResolverIPv6Control=IPv4 Only for Legacy Events, Post-Aggregation Event rate LTC=Sun Jun 23 10:38:56 EET 2024, Post-Aggregation Events Processed=9841174, Post-Aggregation Events Processed(SLC)=218703, Post-Aggregation Events/Sec=6853.1852367688025, Post-Aggregation Events/Sec(SLC)=3645.05, Post-Filtering Event rate LTC=Sun Jun 23 10:38:56 EET 2024, Post-Filtering Events Processed=9851359, Post-Filtering Events Processed(SLC)=228888, Post-Filtering Events/Sec=6850.736439499305, Post-Filtering Events/Sec(SLC)=3814.8, RawEventCount=9840928, RawEventLen=8125827796, RawEventPreAggregatedCount=9840928, Resolver.hAdded=0, Resolver.hEvicted=0, Resolver.hQBlocked=0, Resolver.hQRejected=0, Resolver.hQSize=0, Resolver.hSize=0, Resolver.iAdded=0, Resolver.iEvicted=0, Resolver.iQBlocked=0, Resolver.iQRejected=0, Resolver.iQSize=0, Resolver.iSize=0, StatusCode=1, TC.dropcount=0, TC.size=0, URL=arcsight.cbl.gov.ly:8443, ZFiltered=0, aup[acp].version=2020-06-15-19-40-47_8321, aup[system-zone-mappings].version=00000000000005024824, aup[user-categorizations].version=00000000000000238692, aup[user-zone-mappings].version=00000000000005035408, aupmaster=Enabled for arcsight.cbl.gov.ly:8443, bsent=64, detectedversion=7.5.0.2720.0, failedattempts=0, failedattempts(SLC)=0, hbstatus=Up, queuesize=500, sent=6305, sent(SLC)=0, status=Up, throughput=4.374607985168657, throughput LTC=Sun Jun 23 10:38:56 EET 2024, throughput(SLC)=0.0}]

  • For the event severity (or agent severity) to get set, you'll need to add this to the parser:

    event.deviceSeverity=EventSeverity

    Keep in mind that while that will set the agent severity for the event, it's different than the priority of the event which gets calculated by ESM. Take a look at page 41 of the ESM 101 guide. It explains how the priority of the event is calculated - www.microfocus.com/.../ESM_101.pdf

    It's a combination of the event severity (or agent severity) and the other factors mentioned in the guide (model confidence, relevance, severity and asset criticality). The latter is information that would have to be in ESM. In short, it would have to do with the asset being present in the network model and further information about it to contribute to the priority.

  • Verified Answer

    Regarding your question about categorization, take a look at this document on categorization for some detailed info - https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors-8.3/pdfdoc/4834.EventCategorizationWhitePaper/4834.EventCategorizationWhitePaper.pdf

    It looks like you're missing categoryTechnique from the mapping.  So a mapping should look more like this for the header:

    event.deviceEventClassId,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome

    And then the placement of the file should be like this:

    $AGENT_HOME/user/agent/acp/categorizer/current/<deviceVendor>/<deviceProduct>.csv

    So in your case:

    $ARCSIGHT_HOME/user/agent/acp/categorizer/current/sag/swift.csv

  • dear thank you so much for your help i have did what you mention and it works , i have one more questions regarding conditional mapping as my current parser as follow 

    # ArcSight FlexConnector XML File Reader Configuration
    # Configuration for parsing XML files
    
    # Namespace
    namespace.count=1
    namespace[0].prefix=Sag
    namespace[0].uri=urn:swift:sag:ns_Sag
    
    # Hop Nodes
    hop.node.count=1
    hop.node[0].name=EventLogList
    hop.node[0].expression=/Sag:EventLogList
    
    # Trigger Node
    trigger.node.expression=//Sag:EventLog
    
    # Token Count
    token.count=25
    
    # Tokens
    token[0].name=LogSysTime
    token[0].type=TimeStamp
    token[0].format=dd/MM/yyyy HH:mm:ss.SSS
    token[0].expression=Sag:LogSysTime
    
    token[1].name=LogSequence
    token[1].type=Integer
    token[1].expression=Sag:LogSequence
    
    token[2].name=ApplicationId
    token[2].type=String
    token[2].expression=Sag:ApplicationId
    
    token[3].name=LogCorrelationId
    token[3].type=String
    token[3].expression=Sag:LogCorrelationId
    
    token[4].name=PlugInName
    token[4].type=String
    token[4].expression=Sag:PlugInName
    
    token[5].name=EventNumber
    token[5].type=String
    token[5].expression=Sag:EventNumber
    
    token[6].name=EventName
    token[6].type=String
    token[6].expression=Sag:EventName
    
    token[7].name=EventSeverity
    token[7].type=String
    token[7].expression=Sag:EventSeverity
    
    token[8].name=EventClass
    token[8].type=String
    token[8].expression=Sag:EventClass
    
    token[9].name=LogUnitName
    token[9].type=String
    token[9].expression=Sag:LogUnitName
    
    token[10].name=LogMessage
    token[10].type=String
    token[10].expression=Sag:LogMessage
    
    token[11].name=LogProcess
    token[11].type=String
    token[11].expression=Sag:LogProcess
    
    token[12].name=RecordVersion
    token[12].type=Integer
    token[12].expression=Sag:RecordVersion
    
    # Additional Tokens to split LogMessage
    token[13].name=SenttoApplication
    token[13].type=String
    token[13].expression=substring-before(substring-after(Sag:LogMessage, 'Sent to Application : '), '\n')
    
    token[14].name=ReceivedfromApplication
    token[14].type=String
    token[14].expression=substring-before(substring-after(Sag:LogMessage, 'Received from Application : '), '\n')
    
    token[15].name=Primitive
    token[15].type=String
    token[15].expression=substring-before(substring-after(Sag:LogMessage, 'Primitive : '), '\n')
    
    token[16].name=PayloadSize
    token[16].type=String
    token[16].expression=substring-before(substring-after(Sag:LogMessage, 'Payload size : '), '\n')
    
    token[17].name=Status
    token[17].type=String
    token[17].expression=substring-before(substring-after(Sag:LogMessage, 'Status : '), '\n')
    
    token[18].name=SwiftRequestRef
    token[18].type=String
    token[18].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftRequestRef: '), '\n')
    
    token[19].name=SwiftRef
    token[19].type=String
    token[19].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftRef: '), '\n')
    
    token[20].name=SwiftResponseRef
    token[20].type=String
    token[20].expression=substring-before(substring-after(Sag:LogMessage, 'SwiftResponseRef: '), '\n')
    
    token[21].name=Requestor
    token[21].type=String
    token[21].expression=substring-before(substring-after(Sag:LogMessage, 'Requestor: '), '\n')
    
    token[22].name=Responder
    token[22].type=String
    token[22].expression=substring-before(substring-after(Sag:LogMessage, 'Responder: '), '\n')
    
    token[23].name=Service
    token[23].type=String
    token[23].expression=substring-before(substring-after(Sag:LogMessage, 'Service: '), '\n')
    
    token[24].name=RequestType
    token[24].type=String
    token[24].expression=substring-before(substring-after(Sag:LogMessage, 'RequestType: '), '\n')
    
    # Conditional Mapping using token
    conditionalmap.count=1
    conditionalmap[0].token=EventNumber  # Assuming EventNumber is the token to evaluate
    conditionalmap[0].mappings.count=2
    
    # Mapping for EventNumber=2000
    conditionalmap[0].mappings[0].values=2000
    conditionalmap[0].mappings[0].event.deviceCustomString3=substring-before(substring-after(Sag:LogMessage, 'RequestRef: '), '\n')
    
    # Mapping for EventNumber=1000
    conditionalmap[0].mappings[1].values=1000
    conditionalmap[0].mappings[1].event.deviceCustomString3=substring-before(substring-after(Sag:LogMessage, 'RequestRef: '), '\n')
    
    additionaldata.enabled=true
    trim.values=true
    trim.tokens=true
    
    # Event Mappings
    event.deviceCustomDate1=LogSysTime
    event.deviceCustomDate1Label=__stringConstant(LogSysTime)
    event.deviceCustomNumber1=LogSequence
    event.deviceCustomNumber1Label=__stringConstant(LogSequence)
    
    event.deviceEventClassId=EventNumber
    
    event.deviceCustomString1=PlugInName
    event.deviceCustomString1Label=__stringConstant(PlugInName)
    
    event.externalId=LogCorrelationId
    
    # event.deviceCustomString3 is set by conditional mapping
    # event.deviceCustomString3=RequestRef
    # event.deviceCustomString3Label=__stringConstant(RequestRef)
    
    event.deviceSeverity=EventSeverity
    
    event.deviceCustomString4=EventClass
    event.deviceCustomString4Label=__stringConstant(EventClass)
    event.deviceCustomString5=LogUnitName
    event.deviceCustomString5Label=__stringConstant(LogUnitName)
    event.message=LogMessage
    event.deviceCustomString6=LogProcess
    event.deviceCustomString6Label=__stringConstant(LogProcess)
    event.deviceCustomNumber3=RecordVersion
    event.deviceCustomNumber3Label=__stringConstant(RecordVersion)
    event.name=EventName
    event.deviceVendor=__stringConstant(SAG)
    event.deviceProduct=__stringConstant(Swift)
    
    # Mapping additional tokens
    event.applicationProtocol=Primitive
    event.devicePayloadId=PayloadSize
    event.deviceCustomString2=Status
    event.deviceCustomString2Label=__stringConstant(Status)
    event.fileId=SwiftRequestRef
    event.sourceUserName=Requestor
    event.destinationUserName=Responder
    event.requestContext=RequestType
    # event.deviceCustomString7=Service
    # event.deviceCustomString7Label=__stringConstant(Service)
    event.sourceProcessName=SenttoApplication
    event.destinationProcessName=ReceivedfromApplication
    
    severity.map.veryhigh.if.deviceSeverity=Severe,Critical,Fatal
    severity.map.high.if.deviceSeverity=High,Major
    severity.map.medium.if.deviceSeverity=Medium,Warning
    severity.map.low.if.deviceSeverity=Low,Information,Info
    
    the value of devicecostomstrin3 is empty