This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
malchus6
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
‎2016-09-14 19:29
230 views

Can I tag events at the connector with name of specific log file?

So, I am setting up a regex folder file connector. Within the directory there will be multiple files that will be ingested. What I want to be able to do is tag each individual event with the name of the log file it came from and map it to one of the custom fields within ESM.

So, if for example event1 came from Monday.log and event2 came from Tuesday.log I want to be able to somehow mark each base event with the name of their original log file. This way for example, within ESM I can filter by events that only came from Tuesday.log.

I was not sure if there was any mapping/declaration that can be configured within the config file to enable this.

Thanks in advance for any assistance!

Mike

Labels (3)
0 Likes
Reply
Report Inappropriate Content
4 Replies
Gayan
Fleet Admiral
Fleet Admiral
‎2016-09-14 23:30

Hi Mike,

Yes you can do the mapping in connector level.

Map files are actual physical files, located in the connector itself. Map files operate on events after they are collected and parsed, but before they are sent to the destination, conditionally changing one or more event fields.

Place basic map files in the user/agent/map directory under the ArcSight home directory of the connector file system.

Before that make sure which log map with which name..

Cheers

Gayan

Mr
0 Likes
Reply
Report Inappropriate Content
malchus6
Lieutenant Commander Lieutenant Commander
Lieutenant Commander
‎2016-09-15 13:46

Thanks for the reply, Gayan!

I am familiar with map files, and had considered that solution, however it does not appear (from what I can find) that the actual log file name is parsed as part of the connector's operation. I am looking for a way to get the log's file name parsed with each corresponding event so I can then map it.

Thanks again!

0 Likes
Reply
Report Inappropriate Content
A-Aron
Micro Focus Expert
Micro Focus Expert
‎2016-09-15 21:39

Yes, grabbing the log file name is part of the Flex Connector capabilities.

Search for it in the Flex Connector Developer's Guide.

Post back here if you need more assistance.

0 Likes
Reply
Report Inappropriate Content
Gayan
Fleet Admiral
Fleet Admiral
‎2016-09-15 21:46

Is there any way to add extra flag for log like Monday.log come with Mon flag something. Because connector know  about log file name. its listed under syslog.properties.

Or you can create a rule for add extra  filed based on the day.

Cheers

Gayan

Mr
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.