I need to write a flexconnector with conditional mappings. I see in the flex connector dev guide clear documentation on how to use conditional mappings on one event field:
regex=Event id is (\\d+) type (\\S+) with parameter (\\S+)
This allows flexibility to map differently depending on the value of the event.deviceEventClassId field, which is great. However, I do not see any documentation and I'm wondering if it is possible to use the values from MULTIPLE event fields/tokens to conditionally specify a new mapping?
As an example, if userName=root and outcome=success and process=/usr/bin/sshd, map to event.name the string constant "Successful root ssh login".
Is this scenario possible with conditional mappings?
Thanks for the response, i came across this when searching for the solution for regex for multiple lines or different files.
I have the following scenario : Checkpoint Firewall (R77.30) integrated with Arcsight. It did not work with Checkpoint Syslog connector. So had to parse the log inorder to receive the firewall logs in correct format.
Smartdefense is a intrusion prevention system integrated to checkpoint firewall and we are getting logs from smartdefense as well. But again unparsed.
Need to know, the respone on the following:
1. I prepared and deployed a different sdk properties file, with IPS logs regex and tokens and mappings, in the same locations where the sdk properties for firewall logs is located i.e., current\user\agent\flexagent\syslog. But this did not work.
2. Do we need to write a different regex and different sdk properties file and deploy in the same location or different location, because the firewall and IPS logs are coming from the same host ? Or do we need to have only one sdk file where both the regex are mentioned , with multiple mappings to a single field, is this possible.?