rakesh.mukherje Absent Member.
Absent Member.
571 views

Regex flex

Jump to solution

I created a regex parser using ArcSight regex tool without any error, while testing I find my entire events come in the message field only, can anyone suggest how to troubleshoot this?

Thanks,

Labels (1)
0 Likes
1 Solution

Accepted Solutions
DaveH1 Absent Member.
Absent Member.

Re: Regex flex

Jump to solution

Your parser is not working.

A tip for writing flexconnectors is to use regex=(.*) when you first start it up.

Map this token to a CustomString (not message or name fields!) and see if the entire event goes into the custom string field.

Then continue to work from left to right across the message. It is very easy to get confused with complex regex if you dont break it into smaller parts. Add a bit > test, add a bit more > test again

Also using the regex editor in the smartconnector is great as a starting point. Same principle applies though.

You can find the regex tool from the cmdline --  $ARCSIGHT_HOME/bin/arcsight regex (needs X11 if you run them on Linux)

0 Likes
10 Replies
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Regex flex

Jump to solution

Hi Rakesh,

Can you plz share us ur Config file and Sample logs

0 Likes
DaveH1 Absent Member.
Absent Member.

Re: Regex flex

Jump to solution

Your parser is not working.

A tip for writing flexconnectors is to use regex=(.*) when you first start it up.

Map this token to a CustomString (not message or name fields!) and see if the entire event goes into the custom string field.

Then continue to work from left to right across the message. It is very easy to get confused with complex regex if you dont break it into smaller parts. Add a bit > test, add a bit more > test again

Also using the regex editor in the smartconnector is great as a starting point. Same principle applies though.

You can find the regex tool from the cmdline --  $ARCSIGHT_HOME/bin/arcsight regex (needs X11 if you run them on Linux)

0 Likes
shaig1 Absent Member.
Absent Member.

Re: Regex flex

Jump to solution

Hi Dave,

I'd suggest to map to whole token of (.*) not to customString but the requestContext, which is the biggest field you have (2048).

0 Likes
DaveH1 Absent Member.
Absent Member.

Re: Regex flex

Jump to solution

Incorrect.

Custom Strings are 4k

0 Likes
Established Member.. Ahedge
Established Member..

Re: Regex flex

Jump to solution

You should also make sure that you place the regex properites file in the correct subdirectory.  If is it for syslog then it it needs to be in a different folder than other types of flex connector files.

Also in to follow up on Dave suggestion, in your first pass at the file you might want to add the deviceVendor and deviceProduct field definitions to make it easier to find your events in the destination device.

0 Likes
Acclaimed Contributor.. lless Acclaimed Contributor..
Acclaimed Contributor..

Re: Regex flex

Jump to solution

Give you regexp and log example and i try help you.

0 Likes
xian-de.deng Absent Member.
Absent Member.

Re: Regex flex

Jump to solution

Hi Arthur:

   A quick question for you. I found the type options in different SmartConnector versions are diverse. For example, the version I am using is 7.0.4, in which I can not find the type  "Flexconnector Regex file".

   In my case,I have few logs from the 3rd party sources which are not compatible with syslog. So which connector type will you suggest me to pick up for  these logs?arcsight-sc-type.png

Regards

Wilson

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Regex flex

Jump to solution

Hi Wilson-

May I suggest you obtain some training on the FlexConnector Developer's Kit?

There is a course offered that will explain which files are where, what they are named, etc.

To write a syslog subconnector, you write a Regex File reader, and rename the file. When you do this, you can 'treat the messages as syslog' and the header parsing will be taken care of for you.

My installer choices for 7.0.4 has many more choices than your screenshot shows. Are you sure you are using 7.0.4?

What is the filename, filesize and md5sum for your installer file?

Regards,

Aaron


0 Likes
JSM Absent Member.
Absent Member.

Re: Regex flex

Jump to solution

I have the same issue as you. Very limited set of connectors display when the binary is installed. Missing a bunch. Same issue with 7.0.3 and 7.0.2.  Installing on Xubuntu device.

Edit:  Should have stated that I am using the 64bit connector. Have heard that this version may have less than the 32 bit connector. Researching now.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Regex flex

Jump to solution

I think the resolution was to not use the 64-bit connector installer, but to use the 32-bit connector installer.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.