Highlighted
Member..
Member..
332 views

ArcSight Syslog flex connector for parsing Multiline is not working

I have created a flex connector for following multiline syslog. But it is successfully assigning values in 
Flex agent regex tester. But it is not parsing the values when installed. I can view the complete message in event.name field. Please help to resolve the issue and  help to confirm whether multiline work for syslogs or not.   

<188>2019-12-18 06:50:34 DC-FW-01 %%01SEC/4/SESSION(l): -DevIP=10.1.1.19; Protocol:tcp; 45.116.232.45:9059; -->202.83.164.173:80; 10.2.9.102:80; [2019/12/18 11:50:19 - 2019/12/18 11:50:34] Src VPN ID:0 Dst VPN ID:0; status:1

User name:45.116.232.45;

Below is the code

multiline.starts.regex=.*\\d+\\-\\d+.*
multiline.ends.regex=.*User\\s+name\\\:.*\\;
do.unparsed.events=true
regex=(\\d+\\-\\d+\\-\\d+\\s+\\d+\\\:\\d+\\\:\\d+)\\s+(\\w+\\-\\w+\\-\\d+).*DevIP\=(\\d+\\.\\d+\\.\\d+\\.\\d+)\\;\\s+Protocol\\\:(\\w+)\\;\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+)\\\:(\\d+)\\;.*\\>(\\d+\\.\\d+\\.\\d+\\.\\d+)\\\:(\\d+)\\;\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+)*\\\:*(\\d+)*\\;*\\s*+\\[(\\d+\\/\\d+\\/\\d+\\s+\\d+\\\:\\d+\\\:\\d+)\\s+\\-\\s+(\\d+\\/\\d+\\/\\d+\\s+\\d+\\\:\\d+\\\:\\d+)\\]\\s+Src\\s+VPN\\s+ID\\\:(\\d+)\\s+Dst\\s+VPN\\s+ID\\\:(\\d+)\\;\\s+status\\\:(\\d+)(.*User.*)

token.count=16

token[0].name=timestamp
token[0].type=String

token[1].name=DevName
token[1].type=String

token[2].name=DevIP
token[2].type=IPAddress

token[3].name=Protocol
token[3].type=String

token[4].name=SourceIP
token[4].type=IPAddress

token[5].name=SourcePort
token[5].type=String

token[6].name=DesIP1
token[6].type=IPAddress

token[7].name=DesPort1
token[7].type=String

token[8].name=DesIP2
token[8].type=String

token[9].name=DesPort2
token[9].type=String

token[10].name=TimeReq
token[10].type=String

token[11].name=TimeEstb
token[11].type=String

token[12].name=SourceVpnId

token[12].type=String

token[13].name=DstVpnId
token[13].type=String

token[14].name=Status
token[14].type=String

token[15].name=SubMsg
token[15].type=String


submessage.messageid.token=Status
submessage.token=SubMsg

 

event.deviceAddress=DevIP
event.deviceVendor=__stringConstant("Huawei")
event.deviceProduct=__stringConstant("NTC12AM")
event.destinationAddress=DesIP1
event.transportProtocol=Protocol
event.name=DevName
event.sourceAddress=SourceIP


#l10n.filename.prefix=

submessage.count=2

submessage[0].messageid=0
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=.*User name\:(\\d+\\.\\d+\\.\\d+\\.\\d+);
submessage[0].pattern[0].fields=event.sourceUserId


submessage[1].messageid=1
submessage[1].pattern.count=1
submessage[1].pattern[0].regex=.*User name\:(\\d+\\.\\d+\\.\\d+\\.\\d+);
submessage[1].pattern[0].fields=event.sourceUserId



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.