syslog parser for remapping some fields
I need to remap certain fields of the log based on what we receive from our servers on standard syslog daemon connector. I would appreciate if someone could help me out with generic basic steps of how to create parser that would process syslog message as additional to the standard parser.
For instance I need to map event.deviceCustomString6=_SYSLOG_SOURCE_ADDR
Thanks in advance.
This can be achieved using additional mapping. But please note that you can only map the fields to the ones that are available in arcsight database. You cannot create new fields.
The problem is I do not know how to do it on a connector level and cannot find information about it. I have tried to find it in the flex connector developer guide, but without success.
Apart from the raw events. Check whether the "_SYSLOG_SOURCE_ADDR" is getting captured in any of the logs.
If yes, please share me the sample log i will provide you a fix.
Thank you for replying. I am not sure what is requried to check, but I can confirm that this variable was not used for this connector. Support recommended this token to use for syslog source that does not have IP address of source in the log itself. Hence, the need to create parser in addition the standard one.
I think what he ment is that if you provide a sample of the non standard log source, it would be easier to help you out.
If you don't have direct access to the raw log, you can open your connector in ESM, under it's options you enable "Include Raw Events", then open up one of the Base events that you don't get to work, and copy the raw event including in the Base Event details page.
The IP address still has to be in the log itself, and a regular expression has to be written to make sure the IP is being placed in the correct field/token.
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
I somehow lost track of this post and now need to get back to this issue. What I need is a guide on how to create additional parser for standard syslog daemon. I have an idea on how to do it for the Windows logs, but not really for the syslog.