WiNC "Denial Of Service" message generated from EMET log
My WiNC connector is periodically generating a built-in "Denial of service event filtering triggered" event when it processes some microsoft EMET:50 messages. The DOS message complains that the "Field [rawEvent] truncated to ["System":EventId":"50",Version":"","Channel":"Application","ProviderName":"EMET",......
The original EMET message is lost and replaced by the ArcSight DOS message. But I want to retain (a truncated version) of the original message instead.
I am struggling to work out how to generate a parser override that truncates the oversized rawEvent field using conditional mappings, e.g what I want is an expression that subsitiutes the rawEvent field in the event with a truncated version. I have tried many things but it seems that the right-hand-side of any expression is not processed if it is from the event itself.. E.g to truncate to 100 characters:
Please can someone advise how this can be achieved?
Re: WiNC "Denial Of Service" message generated fro
Are you sure your original message is getting dropped? The DOS protector usually generates an internal event which is really just complaining about the field being too long and that its being truncated.