AJSec Absent Member.
Absent Member.
1101 views

Velocity Templates - Parsing and Not Parsing

Hi Guys,

I'm having an issue where I'm trying to get the email template selected to be parsed and mailed accordingly.

Email.vm displays

#if($introspector.getDisplayValue($event, "generatorName") == "EMAIL1")

#parse("EMAIL1.vm")

#elseif($introspector.getDisplayValue($event, "generatorName") == "EMAIL2")

#parse("EMAIL2.vm")

#else

#parse("Email3.vm")

#end

Email1 & 2 are placeholders as I've ripped out the customer specifics.

These then should parse the following:

Generator URI:$introspector.getDisplayValue($event, "generatorURI")
End Time:$introspector.getDisplayValue($event, "endTime")
Manager Receipt Time:$introspector.getDisplayValue($event, "managerReceiptTime")
Event Name:             $introspector.getDisplayValue($event, "name")
Message:             $introspector.getDisplayValue($event, "message")

Source Host Name:$introspector.getDisplayValue($event, "sourceHostName")
Source NT Domain:   $introspector.getDisplayValue($event, "sourceNTDomain")
Source Address:$introspector.getDisplayValue($event, "sourceAddress")
Source Port:$introspector.getDisplayValue($event, "sourcePort")
Source User ID:$introspector.getDisplayValue($event, "sourceUserID")
Source User Name:$introspector.getDisplayValue($event, "sourceUserName")

Destination Host Name:$introspector.getDisplayValue($event, "destinationHostName")
Destination NT Domain:$introspector.getDisplayValue($event, "destinationNTDomain")
Destination Address:$introspector.getDisplayValue($event, "destinationAddress")
Destination Port:$introspector.getDisplayValue($event, "destinationPort")
Destination User ID:$introspector.getDisplayValue($event, "destinationUserID")
Destination User Name:$introspector.getDisplayValue($event, "destinationUserName")

Category Behaviour:$introspector.getDisplayValue($event, "categoryBehaviour")
Category Outcome:$introspector.getDisplayValue($event, "categoryOutcome")

Device Action:           $introspector.getDisplayValue($event, "deviceAction")
Device Severity:$introspector.getDisplayValue($event, "deviceSeverity")
Device Event Class ID:$introspector.getDisplayValue($event, "deviceEventClassID")
Device External ID:$introspector.getDisplayValue($event, "deviceExternalID")
Device Facility:$introspector.getDisplayValue($event, "deviceFacility")
Device Process Name:$introspector.getDisplayValue($event, "deviceProcessName")

Device Custom String 1:$introspector.getDisplayValue($event, "deviceCustomString1")
Device Custom String 2:$introspector.getDisplayValue($event, "deviceCustomString2")
Device Custom String 3:$introspector.getDisplayValue($event, "deviceCustomString3")
Device Custom String 4:$introspector.getDisplayValue($event, "deviceCustomString4")
Device Custom String 5:$introspector.getDisplayValue($event, "deviceCustomString5")
Device Custom String 6:$introspector.getDisplayValue($event, "deviceCustomString6")

File Name:$introspector.getDisplayValue($event, "fileName")
File Path:$introspector.getDisplayValue($event, "filePath")

This is EMAIL1.VM - whilst I get the notification in the console, I never receive an email?

#set($FieldsInMail = ["generatorURI","endTime","managerReceiptTime","name","message","sourceHostName","sourceNTDomain","sourceAddress","sourcePort","sourceUserID","sourceUserName","destinationHostName","destinationNTDomain","destinationAddress","destinationPort","destinationUserID","destinationUserName","categoryBehaviour","categoryOutcome","deviceAction","deviceSeverity","deviceEventClassID","deviceExternalID","deviceFacility","deviceProcessName","deviceCustomString1","deviceCustomString2","deviceCustomString3","deviceCustomString4","deviceCustomString5","deviceCustomString6","fileName","filePath"])

#foreach($field in $FieldsInMail)

#if($introspector.getDisplayValue($event, $field).length() > 0)

${field.fieldDisplayName}: $introspector.getDisplayValue($event, $field)

#end

#end

This is EMAIL2.VM - whilst I actually receive this mail - it's completely blank

Can anyone assist - is it formatting, or am I trying to do something that the system just can't do? EMAIL3 is a stock catch all that works like a charm, and the generator names in use for 1 & 2 work correctly, it's just the sub-macro VM files that don't seem to be working

I've ripped and replaced from content that is available in a host of Velocity related posts on here to get this far - and my knowledge of Velocity is very little, so any assistance would be appreciated!

We're currently running on AE3

Thanks!

Labels (1)
0 Likes
8 Replies
JohnnyHua Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Hi, Alan, I am encountering a similar issue as your Email2.vm, i.e. the fields are blank.  Did you resolve the issue?

Thanks.

Johnny

0 Likes
AJSec Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Hi Johnny,

Unfortunately no luck as yet. Do you receive the mail with an empty body or is there content in your mail?

0 Likes
Highlighted
JohnnyHua Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Hi, Alan, the email has the title, name, start time and base event count, but

the rest of the fields are blank. It would seem GetDisplayValue does not work

for other fields or it is too late to extract the fields.

Regards,

Johnny

0 Likes
AJSec Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Hi Johnny,

Check that you are aggregating on the fields you're trying to display - if the rule triggered doesn't have that information aggregated, then it doesn't display in the rule "event" itself, which would then cause those fields to be blank when notified on.

Hope that helps.

Regards

Alan

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

We are using a data monitor to capture url hits to malicious websites. The data monitor - top value count - has a field called devinceCustomNumber1 that aggregates count of hits.  We have a rule that is triggering a notification but the fields are blank for attacker address and attacker user name.  The data monitor\s bucket size is 120 seconds (2 minutes) and a total of 6 buckets [these short times are for testing].  The rule is aggregating all the fields and is set 1 match in 2 minutes with conditions that the generator = the data monitor resource and deviceCustomNumber1 is greater than 5.

The data minitor is populating perfectly every 2 minutes with updated counts for existing entries and adding new entries.

It seems that the aggregation on the rule should be sufficient to capture all the data since it is looking for 1 matching event every 2 minutes.

What am I missing??

Thx

0 Likes
vaish_11 Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Did you check if the name of the generator matches the name of the rule exactly (special characters, upper case lower case etc)?
One other issue could be your aggregation rule. ALL fields that are used in your velocity template MUST be present in the aggregation tab of your rule.

Also, yes - I've tried to give the tab space in the template before and it didn't work. Try removing the spacing you have given between the field name and value.

0 Likes
ngerbino Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Yes - the name matches.

Yes - the same fields are in the aggregation field as are in the velocity template.

rule_aggre.JPG

velocitytemplate.JPG


emailsent.JPG

0 Likes
vaish_11 Absent Member.
Absent Member.

Re: Velocity Templates - Parsing and Not Parsing

Alan,

Does the correlated event have the sourceUserName and DeviceCustom String info? If not, please try to explicitly set Event fields in the Action tab.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.