Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
zargaran Honored Contributor.
Honored Contributor.
279 views

Parsing Juniper log file problem whit flex log file connector

dear All

i have a Juniper.log file that want to pars it in smart connector.

i installed ArcSight Flex regex file connector and in <ARCSIGHT_HOME>/current/usr/agent/flexagent I located Juniper.sdkrfilereader.properties the content of this file is:

# FlexAgent Regex Configuration File

do.unparsed.events=true

regex=(\\S+\\s+\\d+ \\d\\d\:\\d\\d\:\\d\\d) (\\d+\\.\\d+\\.\\d+\\.\\d+) \\S+ NetScreen device_id\=(\\S+)  \\[Root\\]system\\-notification\\-\\d+\\(traffic\\)\: start_time\=\\"(\\S+ \\d\\d\:\\d\\d\:\\d\\d)" duration\=(\\d+) policy_id\=(\\S+) (service\=([tcp|udp]+)\\/port\\\:(\\d+) proto\=(\\d+) src zone\=(\\w+) dst zone\=(\\w+) action\=(\\w+) sent\=(\\S+) rcvd\=(\\S+) src\=(\\d+\\.\\d+\\.\\d+\\.\\d+) dst\=(\\d+\\.\\d+\\.\\d+\\.\\d+) src_port\=(\\S+) dst_port\=\\S+ src\\-xlated ip\=\\d+\\.\\d+\\.\\d+\\.\\d+ port\=\\S+ dst\\-xlated ip\=\\d+\\.\\d+\\.\\d+\\.\\d+ port\=\\S+ session_id\=(\\S+) reason\=(.*))

token.count=20

token[0].name=dateAndTime

token[0].type=String

token[1].name=deviceAddress

token[1].type=IPAddress

token[2].name=deviceId

token[2].type=String

token[3].name=startTime

token[3].type=String

token[4].name=duration

token[4].type=String

token[5].name=Id

token[5].type=String

token[6].name=Msg

token[6].type=String

token[7].name=transportProtocol

token[7].type=String

token[8].name=destinationPort

token[8].type=String

token[9].name=applicationProtocol

token[9].type=String

token[10].name=sourceZone

token[10].type=String

token[11].name=destinationZone

token[11].type=String

token[12].name=categoryOutcome

token[12].type=String

token[13].name=bytesOut

token[13].type=String

token[14].name=bytesIn

token[14].type=String

token[15].name=sourceAddress

token[15].type=IPAddress

token[16].name=destinationAddress

token[16].type=IPAddress

token[17].name=sourcePort

token[17].type=String

token[18].name=sessionId

token[18].type=String

token[19].name=categoryBehavior

token[19].type=String

additionaldata.enabled=true

event.deviceVendor=__stringConstant(Juniper)

event.deviceProduct=__stringConstant(Juniper)

event.name=Message

event.deviceAddress=deviceAddress

event.deviceId=deviceId

event.startTime=startTime

event.endTime=endTime

event.eventId=Id

submessage.messageid.token=Id

submessage.token=Msg

#l10n.filename.prefix=

submessage.count=2

submessage[0].messageid=11

submessage[0].pattern.count=1

submessage[0].pattern[0].regex=service\=([tcp|udp]+)\\/port\\\:(\\d+) proto\=(\\d+) src zone\=(\\w+) dst zone\=(\\w+) action\=([Deny|Permit]+) sent\=(\\S+) rcvd\=(\\S+) src\=(\\d+\\.\\d+\\.\\d+\\.\\d+) dst\=(\\d+\\.\\d+\\.\\d+\\.\\d+) src_port\=(\\S+) dst_port\=\\S+ src\\-xlated ip\=\\d+\\.\\d+\\.\\d+\\.\\d+ port\=\\S+ dst\\-xlated ip\=\\d+\\.\\d+\\.\\d+\\.\\d+ port\=\\S+ session_id\=(\\S+) reason\=(.*)

submessage[0].pattern[0].fields=event.transportProtocol,event.destinationPort,event.applicationProtocol,event.sourceZoneURI,event.destinationZoneURI,event.categoryOutcome,event.bytesOut,event.bytesIn,event.sourceAddress,event.destinationAddress,event.sourcePort,event.sessionId,event.categoryBehavior

submessage[1].messageid=14

submessage[1].pattern.count=1

submessage[1].pattern[0].regex=service\=([tcp|udp]+)\\/port\\\:(\\d+)\\sproto\=(\\d+) src zone\=(\\w+) dst zone\=(\\w+) action\=([Permit|Deney]+) sent\=(\\d+) rcvd\=(\\d+) src\=(\\d+\\.\\d+\\.\\d+\\.\\d+) dst\=(\\d+\\.\\d+\\.\\d+\\.\\d+) src_port\=(\\S+) dst_port\=\\S+ src\\-xlated ip\=\\d+\\.\\d+\\.\\d+\\.\\d+ port\=\\S+ dst\\-xlated ip\=\\d+\\.\\d+\\.\\d+\\.\\d+ port\=\\S+ session_id\=(\\d+) reason\=(.*)

submessage[1].pattern[0].fields=event.transportProtocol,event.destinationPort,event.applicationProtocol,event.sourceZoneURI,event.destinationZoneURI,event.categoryOutcome,event.bytesOut,event.bytesIn,event.sourceAddress,event.destinationAddress,event.sourcePort,event.sessionId,event.categoryBehavior

also i set full permission on this file. when i run the <ARCSIGHT_HOME>current\bin\arcsight agents to run smart connector Manully , i have not any parsed CEF log.

where is miss configuration at this steps?

any solution?

BR

Amir

Labels (2)
0 Likes
2 Replies
Highlighted
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Parsing Juniper log file problem whit flex log file connector

Hi Amir,

Juniper is under supported list. So why did you try to install flex connector ?

Cheers

Gayan

Mr
0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: Parsing Juniper log file problem whit flex log file connector

this is for testing. also i set token[0].startatend=false in agent.properties and then worked successfully!

Thanks

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.