Rename fields of SmartConnector without change categorization
I need to rename the fields deviceVendor and deviceProduct of a Syslog SmartConnector but I created a map.x.properties and a .csv file under current/user/agent/acp/categorizer/current/deviceVendor/deviceProduct.csv the fields changed but the category fields were null.
There are any posibility to change these fields with persist categorization fields?
I am afraid that categorization is triggered by the deviceEventClassId, deviceProduct and deviceVendor fields specifically. As long as you have data in these fields that matches with the categorization field, you will get categorization applied. Since you are looking to change the mapping of deviceProduct and deviceVendor, I am afraid that categorization wont be applied as a result.
That said though, there are a few things that you cant map with a map override file - and deviceProduct, deviceVendor, attackerAddress and targetAddress are a few of them. The best thing to do is use a parser override (which assumes you have the unobfuscated parser) or to adjust the parser itself (which also assumes you have the unobfuscated parser).
I would recommend that you get in touch with the support team and request access to the unobfuscated parser so you can make a change to it - and adjust the deviceVendor and deviceProduct fields. If you have any issues, please do let me know.