Highlighted
Regular Contributor.
Regular Contributor.
1532 views

Flex Connector Conditional Map on Multiple Fields

Jump to solution

I need to write a flexconnector with conditional mappings.  I see in the flex connector dev guide clear documentation on how to use conditional mappings on one event field:

regex=Event id is (\\d+) type (\\S+) with parameter (\\S+)

token.count=3 token[0].name=EVENTID

token[1].name=TYPE

token[2].name=PARAMETER

#Standard mappings

event.deviceEventClassId=EVENTID

event.deviceEventCategory=TYPE

#Conditional mappings

conditionalmap.count=1

conditionalmap[0].field=event.deviceEventClassId

conditionalmap[0].mappings.count=2

conditionalmap[0].mappings[0].values=532,534 conditionalmap[0].mappings[0].event.sourceAddress=PARAMETER

conditionalmap[0].mappings[1].values=533 conditionalmap[0].mappings[1].event.sourceUserName=PARAMETER

This allows flexibility to map differently depending on the value of the event.deviceEventClassId field, which is great.  However, I do not see any documentation and I'm wondering if it is possible to use the values from MULTIPLE event fields/tokens to conditionally specify a new mapping?

As an example, if userName=root and outcome=success and process=/usr/bin/sshd, map to event.name the string constant "Successful root ssh login".

Is this scenario possible with conditional mappings?

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello Jlseallg

I would suggest using a map file

create a file name map.2.properties 

under the folder

current\user\agent\map

The content of the file will be

"First Line"

event.deviceVendor,event.deviceProduct,event.sourceUserName,event.categotyOutcome,event.sourceProcessName,set.event.name

"Second Line"

Unix,Unix,root,success,=/usr/bin/sshd,Successful root ssh login

 

Best Regards

David

View solution in original post

3 Replies
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello Jlseallg

I would suggest using a map file

create a file name map.2.properties 

under the folder

current\user\agent\map

The content of the file will be

"First Line"

event.deviceVendor,event.deviceProduct,event.sourceUserName,event.categotyOutcome,event.sourceProcessName,set.event.name

"Second Line"

Unix,Unix,root,success,=/usr/bin/sshd,Successful root ssh login

 

Best Regards

David

View solution in original post

Highlighted
Regular Contributor.
Regular Contributor.
Thank you David, very helpful!
0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Hi David, 

Thanks for the response, i came across this when searching for the solution for regex for multiple lines or different files. 

I have the following scenario : Checkpoint Firewall (R77.30) integrated with Arcsight. It did not work with Checkpoint Syslog connector. So had to parse the log inorder to receive the firewall logs in correct format. 

Smartdefense is a intrusion prevention system integrated to checkpoint firewall and we are getting logs from smartdefense as well. But again unparsed. 

Need to know, the respone on the following:

1. I prepared and deployed a different sdk properties file, with IPS logs regex and tokens and mappings, in the same locations where the sdk  properties for firewall logs is located i.e., current\user\agent\flexagent\syslog.  But this did not work. 

2. Do we need to write a different regex and different sdk properties file and deploy in the same location or different location, because the firewall and IPS logs are coming from the same host ? Or do we need to have only one sdk file where both the regex are mentioned , with multiple mappings to a single field, is this possible.?

Please suggest.

 

Best Regards,

Praveen Kamble

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.