Highlighted
Frequent Contributor.
Frequent Contributor.
700 views

Severity Mapping doesn't work

Hello everyone !

I'm quite newby on arcsight products, so maybe i'm doing something wrong, but I can't have the severity mapping working correctly on my Flex file.

Let me explain :


In the log source, I have an ID (0,1 or 2). It's collected with a regex correctly.
Then i put the value in a token :

token[3].name=Eventmod
token[3].type=String

And do the link with a field :
event.deviceSeverity=Eventmod

Until now, all is working fine. I read the correct deviceSeverity value in this field.
But, I’m now trying to put a severity depending on this ID :

severity.map.low.if.event.deviceSeverity=0,1
severity.map.medium.if.event.deviceSeverity=2

It doesn’t work. I still get “unknown” in severity field.
Can you help me to make the severity.map working please ?

 

Thanks !

0 Likes
3 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Not using flex to much these days, but from what i can find on similar questions, you are using an "," instead of ".." between 0 and 1. 

The "," might mess up your syntax?

Try this one:

severity.map.low.if.event.deviceSeverity=0..1
-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

You have a syntax error.  Below is what  you have. Get rid of "event" with  "if.event.deviceSeverity"

severity.map.low.if.event.deviceSeverity=0,1
severity.map.medium.if.event.deviceSeverity=2

It should be as follows:

severity.map.low.if..deviceSeverity=0,1
severity.map.medium.if.deviceSeverity=2

Brian Chong

 

 

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Hello,

I've tried both solutions,

severity.map.low.if.event.deviceSeverity=0..1
severity.map.low.if..deviceSeverity=0,1

but i'm still getting "Unknown" Severity.
When I look at agent.log, the only lines speaking about "severity" stuff are below :

[2018-05-15 16:30:06,775][INFO ][default.com.arcsight.agent.d0.e][getInputStream] Resource [junos_syslog_devicetoagentseverity_map.csv] found in [/opt/arcsight/connector/current/system/agent/fcp/arcsightagents.aup|syslog junos_syslog_devicetoagentseverity_map.csv.arc]

Which is not relevant since logs are not from junos_syslog. I've anything else on log file.

Any idea to let me understand what is wrong with this field ? Should I use something else than "deviceSeverity" field ?

 

Thank you!

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.