Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
bill.lange@gdit Trusted Contributor.
Trusted Contributor.
349 views

How to ignore data in FlexConnector?

I'm working on a custom FlexConnector for RSA logs and I want to exclude data.  Is that possible and how do i do it?  Below is a sample:

2015-07-14 19:53:34,703, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, randomnonsense1, randomnonsense2, 192.168.1.1, 192.168.2.2, AUTHN_LOGIN_EVENT,13002, SUCCESS, AUTHN_METHOD_SUCCESS, randomnonsense3, randomnonsense4, randomnonsense5, randomnonsense6, User.name, User,name, randomnonsense7, randomnonsense8, 192.168.1.1, servername, 7, 000

The "randomnonsenseX" data changes in every logs, so I need to use Regex to identify it, but I don't need or want to parse it into "deviceCustomStringX" or any other field for that matter.

Is this something that can be done with a Regex tag or submessage[0].pattern[0]?

Bill

Labels (2)
0 Likes
Reply
9 Replies
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: How to ignore data in FlexConnector?

Dear Bill,

To exclude something, you have to work in the other way in fact.

You parse all messages you would like to sent to ESM and you use the setting

do.unparsed.events=false

Or use the connector filter out to prevent the connector to receive and process the excluded messages.

submessage.pattern is used to parse complex message pattern with regex, it is not used to exclude events!

I hope this information will be helpful.

Thanks

Kind Regards

Michael

0 Likes
Reply
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: How to ignore data in FlexConnector?

You can define this data in the regex, but if you don't have a capturing group for it then there is no data extracted to map into a token and will therefore not be sent ESM etc by the connector.  Alternatively, given that this appears to be a comma separated log you could use a csv parser and just not map the token to an ArcSight field

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: How to ignore data in FlexConnector?

Hi Bill,

How about the below option

Ignore or Include Line

The syntax for the “include” and “ignore” filters is as follows:

line.include.regex=<regular_expression>

line.ignore.regex=<regular_expression>

For example:

line.include.regex=[\\w\\.-]+\\|.*

line.ignore.regex=[\\w\\.-]+\\|.*?\\|.*

Reference:

https://protect724.hp.com/message/42007#42007

https://protect724.hp.com/message/42213#42213

0 Likes
Reply
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: How to ignore data in FlexConnector?

the way I read it is that the requirment is to just exclude particular fields/tokens from being mapped in a particular log line, not ignoring the whole log line.

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: How to ignore data in FlexConnector?

Oops.. Sorry.. u mean talking about Trim.tokens ???

0 Likes
Reply
Established Member.. sbotharaj
Established Member..

Re: How to ignore data in FlexConnector?

I second .  For your case, write a regex to tokenize the usual way to tokenize all the values, but map ONLY the tokens that you need.  Other tokens (in this case randomnonsenseX) will then be automatically discarded.

Cheers!

0 Likes
Reply
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: How to ignore data in FlexConnector?

Bala,

I believe Trim.tokens would only be used to remove leading and trailing white spaces and Tabs from token values.

0 Likes
Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: How to ignore data in FlexConnector?

Thanks Michel. I got lost again. OMG I forgot flex.Now understood the requirement.

Can we have Sub message with Conditional Mapping. Hope it helps for Simple Event multiple formats.

Correct me if I am wrong.

A single Event has more field mapping sometimes or Less field mapping. So ideally he wants to ignore few field mappings on both the cases

I think Conditional mapping under sub message will fit in for this ?

0 Likes
Reply
Established Member.. sbotharaj
Established Member..

Re: How to ignore data in FlexConnector?

situation from what I read is his messages are consistent - having same values.  All he needs is to ignore the values he does not want. For which 's response is fitting, alright?

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.