Highlighted
Super Contributor.
Super Contributor.
897 views

syslog parser for remapping some fields

Hi, 

I need to remap certain fields of the log based on what we receive from our servers on standard syslog daemon connector. I would appreciate if someone could help me out with generic basic steps of how to create parser that would process syslog message as additional to the standard parser. 

For instance I need to map event.deviceCustomString6=_SYSLOG_SOURCE_ADDR

Thanks in advance.

0 Likes
10 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Hello,

This can be achieved using additional mapping. But please note that you can only map the fields to the ones that are available in arcsight database. You cannot create new fields.

Regards
Sharan Bhat
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi, 

The problem is I do not know how to do it on a connector level and cannot find information about it. I have tried to find it in the flex connector developer guide, but without success. 

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi,

you can achieve this via ESM easily. Do the additional data mapping. So you will so same data in 2 different data field.. 

 

Cheers

Gayan

Mr
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Hi there.  Do you need the mapping to be available only via the ESM or Logger as well?

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi, I would need it in both Logger and ESM.

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hello,

 

Apart from the raw events. Check whether the "_SYSLOG_SOURCE_ADDR" is getting captured in any of the logs.

If yes, please share me the sample log i will provide you a fix.

 

regards

Sharan Bhat

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi, 

Thank you for replying. I am not sure what is requried to check, but I can confirm that this variable was not used for this connector. Support recommended this token to use for syslog source that does not have IP address of source in the log itself. Hence, the need to create parser in addition the standard one.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

I think what he ment is that if you provide a sample of the non standard log source, it would be easier to help you out.

If you don't have direct access to the raw log, you can open your connector in ESM, under it's options you enable "Include Raw Events", then open up one of the Base events that you don't get to work, and copy the raw event including in the Base Event details page.

The IP address still has to be in the log itself, and a regular expression has to be written to make sure the IP is being placed in the correct field/token.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi guys,

I somehow lost track of this post and now need to get back to this issue. What I need is a guide on how to create additional parser for standard syslog daemon. I have an idea on how to do it for the Windows logs, but not really for the syslog. 

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Are you trying to create a subagent (syslog) parser from scratch for a syslog stream, trying to create a parser override or trying to remap fields.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.