Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
Trusted Contributor.. Fred Henrique Trusted Contributor..
Trusted Contributor..
228 views

Why my IPAddress mapping is string type?

Hello everyone,

I'm creating a syslogflex parse file, and did make every mapping to the fields that will use this file.

But the fields sourceAddress and destinationAddress is problem, the token them is IPAddress but show-me error when test the file in connector, informing that both is string type.

FATAL EXCEPTION:
com.arcsight.agent.sdk.b.b.a: com.arcsight.loadable.parser.api.ParseException: Exception setting event values, please verify that the data type for [deviceIPaddress] type [IPAddress] and value [10.40.0.247] matches the data type of [agentDnsDomain(String:0)] (com.arcsight.common.k.d cannot be cast to java.lang.String)

 

How resolve this problem?

Thanks everyone for your attention

0 Likes
9 Replies
lless Acclaimed Contributor.
Acclaimed Contributor.

Re: Why my IPAddress mapping is string type?

Try use function "__regexTokenAsAddress" or change token type "token[x].type=IPAddress"

 

0 Likes
Trusted Contributor.. Fred Henrique Trusted Contributor..
Trusted Contributor..

Re: Why my IPAddress mapping is string type?

Hello lless,

for use the __regexTokenAsAddress, have I that configure the token with IPAddress or String?

I did:

event.sourceAddress=__regexTokenAsAddress(mysrciptoken,"(\\d+\\.\\d+\\.\\d+\\.\\d+)")

And my token is: 

token[3].name=mysrciptoken
token[3].type=IPAddress

0 Likes
Trusted Contributor.. Fred Henrique Trusted Contributor..
Trusted Contributor..

Re: Why my IPAddress mapping is string type?

I tried with:

token[3].name=mysrciptoken
token[3].type=String

and 

token[3].type=IPAddress

And unsuccessful

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Why my IPAddress mapping is string type?

Maybe I read the error wrong, but it says deviceIPaddress and not destination

Cheers
A
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Why my IPAddress mapping is string type?

Ahh and I would use __oneOfAddress(yourstringtoken) because it safely returns an IP address, and in case of an wrong input it still returns usefull returnvalues.


From Flexguide:
For non-IPv6-aware parsers, this operation returns only the
first non-null IPv4 address. For IPv6-aware parsers, this
operation returns the first non-null IPv4 or IPv6 address.

cheers
A
0 Likes
lless Acclaimed Contributor.
Acclaimed Contributor.

Re: Why my IPAddress mapping is string type?

you may give flex and example string? 

0 Likes
Trusted Contributor.. Fred Henrique Trusted Contributor..
Trusted Contributor..

Re: Why my IPAddress mapping is string type?

LOG example:

SFIMS: [Primary Detection Engine (1677135a-4bc0-11e3-af15-e6f763c98cfc)][Politica CARRE_10.0.0.2] Connection Type: End, User: Unknown, Client: Web browser, Application Protocol: HTTP, Web App: Unknown, Access Control Rule Name: Regra FWClientes , Access Control Rule Action: Allow, Access Control Rule Reasons: Intrusion Block, URL Category: Unknown, URL Reputation: Risk unknown, URL: http://xxxx.yyyyyy.com/v4, HTTP Referer: Unknown, User Agent: 3.0.2.1 CFNetwork / 758.2.8 Darwin / 15.0.0, Referenced Host: cidadao.sinesp.gov.br, Interface Ingress: s4p1, Interface Egress: s4p2, Security Zone Ingress: Firewall Clientes Externo, Security Zone Egress: Firewall Clientes Interno, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 1, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 5, Responder Packets: 4, Initiator Bytes: 679, Responder Bytes: 622, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 16.29.214.10:40260 -> 89.19.4.154:443

 

ipsfile_syslog.subagent.sdkrfilereader.properties

# FlexAgent Regex Configuration File
trim.tokens=true
do.unparsed.events=true

regex=(\\w+)\\\:\\s+\\[[^]]*\\]\\[([^_]*)_([^]]*)\\][^\:]*\\\:\\s+([^,]*)\\,\\s+\\w+\\\:[^\:]*\\s[^,]*\\,\\s+\\w+\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+[^\:]*\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+[^,]*\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+[^,]*\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,+]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+[^,]*\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+([^,]*)\\,\\s+[^\:]*\\\:\\s+[^,]*\\,\\s+[^\:]*\\\:\\s(\\d+)\\,\\s[^\:]*\\\:\\s+(\\d+)\\,\\s[^\:]*\\\:\\s(\\d+)\\,\\s[^\:]*\\\:\\s(\\d+)\\,\\s[^\:]*\\\:\\s[^,]*\\,\\s[^{]*\\{([^}]*)\\}\\s([^\:]*)\\\:(\\d+)\\s\\-\\>\\s([^\:]*)\\\:(\\d+)

token.count=31

token[0].name=process
token[0].type=String

token[1].name=policy
token[1].type=String

token[2].name=deviceIPaddress
token[2].type=IPAddress

token[3].name=conectionType
token[3].type=String

token[4].name=clientType
token[4].type=String

token[5].name=applicationProtocol
token[5].type=String

token[6].name=ruleName
token[6].type=String

token[7].name=ruleAction
token[7].type=String

token[8].name=ruleReasons
token[8].type=String

token[9].name=urlReputation
token[9].type=String

token[10].name=requestUrl
token[10].type=String

token[11].name=userAgent
token[11].type=String

token[12].name=referencedHost
token[12].type=String

token[13].name=interfaceIngress
token[13].type=String

token[14].name=interfaceEgress
token[14].type=String

token[15].name=securityZoneIngress
token[15].type=String

token[16].name=securityZoneEgress
token[16].type=String

token[17].name=intelligenceMatchingIP
token[17].type=String

token[18].name=securityIntelligenceCategory
token[18].type=String

token[19].name=fileEvents
token[19].type=Long

token[20].name=numberOfIPSEvents
token[20].type=Long

token[21].name=tcpFlags
token[21].type=String

token[22].name=initiatorPackets
token[22].type=Long

token[23].name=responderPackets
token[23].type=Long

token[24].name=initiatorBytes
token[24].type=Integer

token[25].name=responderBytes
token[25].type=Integer

token[26].name=protocol
token[26].type=String

token[27].name=sourceIPaddress
token[27].type=IPAddress

token[28].name=sourcePort
token[28].type=Integer

token[29].name=destinationIPaddress
token[29].type=IPAddress

token[30].name=destinationPort
token[30].type=Integer


#submessage.messageid.token=
#submessage.token=

 

event.flexString2Label=__stringConstant("Security_Intelligence_Category")
event.deviceCustomString5Label=__stringConstant("Nome_da_Regra")
event.destinationServiceName=securityZoneEgress
event.deviceCustomNumber2=responderPackets
event.deviceCustomNumber1=initiatorPackets
event.sourcePort=sourcePort
event.deviceCustomString2Label=__stringConstant("Politica")
event.filePermission=tcpFlags
event.flexString1=intelligenceMatchingIP
event.flexString2=securityIntelligenceCategory
event.deviceCustomNumber1Label=__stringConstant("Pacotes_OUT")
event.bytesIn=initiatorBytes
event.deviceInboundInterface=interfaceIngress
event.flexNumber2Label=__stringConstant("Qtd_Eventos_IPS")
event.deviceVendor=__stringConstant(serpro)
event.deviceCustomNumber2Label=__stringConstant("Pacotes_Recebidos")
event.deviceCustomString3=conectionType
event.sourceServiceName=securityZoneIngress
event.deviceCustomString2=policy
event.requestClientApplication=userAgent
event.deviceCustomString1=process
event.name=ruleReasons
event.deviceCustomString5=ruleName
event.flexString1Label=__stringConstant("Intelligence_Matching_IP")
event.deviceCustomString4=clientType
event.destinationPort=destinationPort
event.sourceAddress=sourceIPaddress
event.deviceCustomString3Label=__stringConstant("Tipo_de_Conexao")
event.flexNumber1=fileEvents
event.deviceAddress=deviceIPaddress
event.destinationDnsDomain=referencedHost
event.message=ruleAction
event.destinationAddress=destinationIPaddress
event.flexNumber2=numberOfIPSEvents
event.transportProtocol=protocol
event.deviceCustomString1Label=__stringConstant("Sequential_Fuel_Injection_Management_System")
event.bytesOut=responderBytes
event.flexNumber1Label=__stringConstant("Qtd_Eventos")
event.deviceCustomString4Label=__stringConstant("Tipo_de_Cliente")
event.requestContext=urlReputation
event.deviceOutboundInterface=interfaceEgress
event.applicationProtocol=applicationProtocol

event.requestUrl=requestUrl


#l10n.filename.prefix=

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Why my IPAddress mapping is string type?

I would change any(!) appearance of  
token[x].type=IPAddress
to 
token[x].type=String

and

event.xAddress=__oneOfAddress(xIPaddress)

this is the way the most original parsers do it as well.

 

Cheers

A

 

 

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Why my IPAddress mapping is string type?

Another trick you can use is to assign the ip field to the source/destination/deviceHostName field. If it is an IPAddress, it will automatically be moved to the source/destination/deviceAddress field. This is a trick commonly used to handle events that provide IP or hostname in the same field.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.