Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
472 views

Stored Procedure - how to write parser for FlexConnector?

Jump to solution

I've searched and looked around for answers on the forums but not come up with anything conclusivly.

I need to use a stored procedure to get audit data from a database. Is this possible?

The prodecure looks like this and we are using it in MSSQL Studio:

Use [LogServerV2]

GO

 

DECLARE @return_value int

EXEC @return_value = [LogServer].[ReadMessageByClientTimestamp]

@LogTypeId = 2,

@LanguageCode = N'en-US',

@ClientTimestampUtcFrom = N'<insert date>',

@ClientTimestampUtcTo = N'<insert date>',

@Batchsize = 109024,

@Offset = 9024

 

SELECT 'Return_value' = @return_value

GO

 

Lets say that it returns columns Id,ClientIP,Text,User

How would I write the parser file for the FlexConnector?

query=?

 

Thanks in advance!

0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: Stored Procedure - how to write parser for FlexConnector?

Jump to solution

A stored procedure is still based on a sql query, you'll have to ask you DBA to pass on that query and its output to you so you can include it in the properties files and start tokenizing the collumns..

The output will be comma seperated and you should be able to easily tokenize by doing. Just an example below:

version.order=1
version.id=[e.g product version]
version.query=SELECT [validate database version]

query=SELECT [ask the DBA]

maxid.query=select [ask the DBA]
id.field=Id
uniqueid.fields=


# Tokenization
token.count=4
token[0].name=Id
token[0].type=String
token[1].name=ClientIP
token[1].type=IPAddress
token[2].name=Text
token[2].type=String token[3].name=User
token[3].type=String

# Device Vendor, Product & Version
event.deviceVendor=__getVendor("Microsoft")
event.deviceProduct=__stringConstant("MSSQL")
event.deviceVersion=__stringConstant("20xx")

# ArcSight Field mapping
event.externalId=Id
event.sourceAddress=ClientIP
event.name=Text
event.message=__concatenate(Id,":"User," from ",ClientIP," performed ",Text)
event.sourceUserName=User

# severity mapping
etc..etc..

 

0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Stored Procedure - how to write parser for FlexConnector?

Jump to solution

A stored procedure is still based on a sql query, you'll have to ask you DBA to pass on that query and its output to you so you can include it in the properties files and start tokenizing the collumns..

The output will be comma seperated and you should be able to easily tokenize by doing. Just an example below:

version.order=1
version.id=[e.g product version]
version.query=SELECT [validate database version]

query=SELECT [ask the DBA]

maxid.query=select [ask the DBA]
id.field=Id
uniqueid.fields=


# Tokenization
token.count=4
token[0].name=Id
token[0].type=String
token[1].name=ClientIP
token[1].type=IPAddress
token[2].name=Text
token[2].type=String token[3].name=User
token[3].type=String

# Device Vendor, Product & Version
event.deviceVendor=__getVendor("Microsoft")
event.deviceProduct=__stringConstant("MSSQL")
event.deviceVersion=__stringConstant("20xx")

# ArcSight Field mapping
event.externalId=Id
event.sourceAddress=ClientIP
event.name=Text
event.message=__concatenate(Id,":"User," from ",ClientIP," performed ",Text)
event.sourceUserName=User

# severity mapping
etc..etc..

 

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Stored Procedure - how to write parser for FlexConnector?

Jump to solution

Thanks, we will try to find out the underlying SQL query.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.