Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Commodore
Commodore
485 views

ID based REST flexconnector

Hi folks!

I am trying to create a ID based REST connector for the first time.

The URL looks like this http://arcsight.something.dk/api/useractivity/10/0 where the 10 is the number of events to get and the 0 is the offset.

In the REST Flexconnector manual it says that onw must use a timestamp, but there are no timestamp to use in the URL.

Am I wrong and doing thing the bad way or what should I be handeling this?

The events I am getting out looks like this:

Example og events
{"count":14438,"offset":14430,"list":[{"id":1158420,"ip":"162.8.y.x","objectReference":"IP-address = 162.8.y.x","time":"2017-03-02 12:39:39","user":{"id":1017,"username":"AlertService","password":null,"firstname":"Alert","lastname":"Service","emailaddress":null,"dateFormat":null,"timeFormat":null,"name":null,"language":null,"languageCode":null,"lastLogin":null,"isAsiaSpeakingLanguage":false,"canChangePassword":false,"workgroup":null,"isSuperAdministrator":false,"isAutoMediaApprover":false,"receiveEmailAlerts":false,"isWebserviceUser":false,"enabled":false,"receiveApprovalAlerts":false,"authenticationMethod":null,"roles":null,"Code":null,"Description":null},"type":"WebLogin"},{"id":1158422,"ip":"162.8.y.x","objectReference":"IP-address = 162.8.y.x","time":"2017-03-02 12:39:39","user":{"id":1017,"username":"AlertService","password":null,"firstname":"Alert","lastname":"Service","emailaddress":null,"dateFormat":null,"timeFormat":null,"name":null,"language":null,"languageCode":null,"lastLogin":null,"isAsiaSpeakingLanguage":false,"canChangePassword":false,"workgroup":null,"isSuperAdministrator":false,"isAutoMediaApprover":false,"receiveEmailAlerts":false,"isWebserviceUser":false,"enabled":false,"receiveApprovalAlerts":false,"authenticationMethod":null,"roles":null,"Code":null,"Description":null},"type":"WebLogin"},{"id":1158423,"ip":"162.8.y.x","objectReference":"IP-address = 162.8.y.x","time":"2017-03-02 12:39:40","user":{"id":1017,"username":"AlertService","password":null,"firstname":"Alert","lastname":"Service","emailaddress":null,"dateFormat":null,"timeFormat":null,"name":null,"language":null,"languageCode":null,"lastLogin":null,"isAsiaSpeakingLanguage":false,"canChangePassword":false,"workgroup":null,"isSuperAdministrator":false,"isAutoMediaApprover":false,"receiveEmailAlerts":false,"isWebserviceUser":false,"enabled":false,"receiveApprovalAlerts":false,"authenticationMethod":null,"roles":null,"Code":null,"Description":null},"type":"WebLogin"}],"Code":null,"Description":null}

I am also having problems figuring out the way to set the following

trigger.node.location=????

and

token[0].name=sessionid

token[0].type=Integer

token[0].location=../???

Does anyone have some examples that I can learn from?

/Per

Labels (2)
0 Likes
1 Reply
Commodore
Commodore

Hello.

I don't know about REST parameters for URL, but I can help you with JSON properties file. JSON Flexconnector represents a JSON file as a tree with root node "/". Something like this:

/

| {

| "count":14438,

| "offset":14430,

| "list":[

     | {

     | "id":1158420,

     | "ip":"162.8.y.x",

     | "objectReference":"IP-address = 162.8.y.x",

     | "time":"2017-03-02 12:39:39",

     | "user":{

           | "id":1017,

           | "username":"AlertService",

           | "password":null,

           | "firstname":"Alert",

           | "lastname":"Service",

           | "emailaddress":null,

           | "dateFormat":null,

           | "timeFormat":null,

           | "name":null,

           | "language":null,

           | "languageCode":null,

           | "lastLogin":null,

           | "isAsiaSpeakingLanguage":false,

           | "canChangePassword":false,

           | "workgroup":null,

           | "isSuperAdministrator":false,

           | "isAutoMediaApprover":false,

           | "receiveEmailAlerts":false,

           | "isWebserviceUser":false,

           | "enabled":false,

           | "receiveApprovalAlerts":false,

           | "authenticationMethod":null,

           | "roles":null,

           | "Code":null,

           | "Description":null},

     | "type":"WebLogin"

     | },

     | {

     | "id":1158422,

     | "ip":"162.8.y.x",

     | "objectReference":"IP-address = 162.8.y.x",

     | "time":"2017-03-02 12:39:39",

     | "user":{

           | "id":1017,

           | "username":"AlertService",

           | "password":null,

           | "firstname":"Alert",

           | "lastname":"Service",

           | "emailaddress":null,

           | "dateFormat":null,

           | "timeFormat":null,

           | "name":null,

           | "language":null,

           | "languageCode":null,

           | "lastLogin":null,

           | "isAsiaSpeakingLanguage":false,

           | "canChangePassword":false,

           | "workgroup":null,

           | "isSuperAdministrator":false,

           | "isAutoMediaApprover":false,

           | "receiveEmailAlerts":false,

           | "isWebserviceUser":false,

           | "enabled":false,

           | "receiveApprovalAlerts":false,

           | "authenticationMethod":null,

           | "roles":null,

           | "Code":null,

           | "Description":null},

     | "type":"WebLogin"

     | },

     | {

     | "id":1158423,

     | "ip":"162.8.y.x",

     | "objectReference":"IP-address = 162.8.y.x",

     | "time":"2017-03-02 12:39:40",

     | "user":{

           | "id":1017,

           | "username":"AlertService",

           | "password":null,

           | "firstname":"Alert",

           | "lastname":"Service",

           | "emailaddress":null,

           | "dateFormat":null,

           | "timeFormat":null,

           | "name":null,

           | "language":null,

           | "languageCode":null,

           | "lastLogin":null,

           | "isAsiaSpeakingLanguage":false,

           | "canChangePassword":false,

           | "workgroup":null,

           | "isSuperAdministrator":false,

           | "isAutoMediaApprover":false,

           | "receiveEmailAlerts":false,

           | "isWebserviceUser":false,

           | "enabled":false,

           | "receiveApprovalAlerts":":false,

           | "authenticationMethod":null,

           | "roles":null,

           | "Code":null,

           | "Description":null},

      | "type":"WebLogin"

      | }

| ],

| "Code":null,

| "Description":null

| }

A trigger node is the node that triggers events. In your case it would be "/list", where "/" is a root node and "list" is a name of array of events. Flexconnetor would generate three events, because array "list" contains three JSON elements.

A token location is a location of interesting element relative to trigger node. For example, let's assume that we want to parse ip from event. Then token[x].location would be:

token[x].location=ip

because "ip" element is just behind trigger node element. For "firstname" element:

token[x].location=user/firstname

because "firstname" element is behind "user" element.

So parser would be like this:

trigger.node.location=/list

token.count=30
token[0].name=eventId
token[0].type=String
token[0].location=id

token[1].name=eventIp
token[1].type=IPAddress
token[1].location=ip

token[2].name=objectReference
token[2].type=String
token[2].location=objectReference

token[3].name=eventTime
token[3].type=TimeStamp
token[3].format=yyyy-MM-dd HH:mm:ss
token[3].location=time

token[4].name=userId
token[4].type=String
token[4].location=user/id

token[5].name=userUserName
token[5].type=String
token[5].location=user/username

token[6].name=userPassword
token[6].type=String
token[6].location=user/password

token[7].name=userFirstName
token[7].type=String
token[7].location=user/firstname

token[8].name=userLastName
token[8].type=String
token[8].location=user/lastname

token[9].name=userEmailAddress
token[9].type=String
token[9].location=user/emailaddress

token[10].name=userDateFormat
token[10].type=String
token[10].location=user/dateFormat

token[11].name=userTimeFormat
token[11].type=String
token[11].location=user/timeFormat

token[12].name=userName
token[12].type=String
token[12].location=user/name

token[13].name=userLanguage
token[13].type=String
token[13].location=user/language

token[14].name=userLanguageCode
token[14].type=String
token[14].location=user/languageCode

token[15].name=userLastLogin
token[15].type=String
token[15].location=user/lastLogin

token[16].name=userIsAsiaSpeakingLanguage
token[16].type=String
token[16].location=user/isAsiaSpeakingLanguage

token[17].name=userCanChangePassword
token[17].type=String
token[17].location=user/canChangePassword

token[18].name=userWorkgroup
token[18].type=String
token[18].location=user/workgroup

token[19].name=userIsSuperAdministrator
token[19].type=String
token[19].location=user/isSuperAdministrator

token[20].name=userIsAutoMediaApprover
token[20].type=String
token[20].location=user/isAutoMediaApprover

token[21].name=userReceiveEmailAlerts
token[21].type=String
token[21].location=user/receiveEmailAlerts

token[22].name=userIsWebserviceUser
token[22].type=String
token[22].location=user/isWebserviceUser

token[23].name=userEnabled
token[23].type=String
token[23].location=user/enabled

token[24].name=userReceiveApprovalAlerts
token[24].type=String
token[24].location=user/receiveApprovalAlerts

token[25].name=userAuthenticationMethod
token[25].type=String
token[25].location=user/authenticationMethod

token[26].name=userRoles
token[26].type=String
token[26].location=user/roles

token[27].name=userCode
token[27].type=String
token[27].location=user/Code

token[28].name=userDescription
token[28].type=String
token[28].location=user/Description

token[29].name=eventType
token[29].type=String
token[29].location=type

event.name=__stringConstant(WebLogin)
event.externalId=__oneOf(eventId,__stringConstant(-))
event.destinationAddress=__oneOfAddress(eventIp)
event.endTime=eventTime
event.type=__oneOf(eventType,__stringConstant(-))
event.destinationUserId=__oneOf(userId,__stringConstant(-))
event.destinationUserName=__oneOf(userUserName,__stringConstant(-))
event.destinationProcessName=__oneOf(userFirstName,__stringConstant(-))
event.destinationServiceName=__oneOf(userLastName,__stringConstant(-))
event.destinationProcessId=__oneOf(userEmailAddress,__stringConstant(-))
event.destinationUserPrivileges=__oneOf(userRoles,__stringConstant(-))

event.deviceVendor=__stringConstant(SomeVendor)
event.deviceProduct=__stringConstant(SomeProduct)
event.deviceSeverity=__stringConstant("Low")

severity.map.high.if.deviceSeverity=High
severity.map.medium.if.deviceSeverity=Medium
severity.map.low.if.deviceSeverity=Low

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.