Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..
1634 views

Velocity Template

Hello,

In your velocity template under === Event Details === how do you change:

#foreach( $field in $introspector.fields )

#if( $introspector.getDisplayValue($event, $field).length() > 0 )

${field.fieldDisplayName}: $introspector.getDisplayValue($event, $field)

#end

#end

to display other fields such as sourceUserName, sourceAddress, etc?

I want to create a secondary template for FortiGate events and have changed my Email.vm to:

## Email.vm is a Velocity macro file that serves as a template for the text

## sent for e-mail notifications.

## To change the text sent, edit the text below.

## The following fields are defined by default.

## The notification URL is automatically established by the ArcSight Web server

## host.

## The event URL links to the relevant event as viewed in ArcSight Web.

Notification ID: ${NOTIFICATION_ID}

Escalation Level: ${ESCALATION_LEVEL}

#if($Device Product == "Fortigate")

#parse ("Fortigate.vm")

#else

#parse ("Informative.vm")

Acknowledge this message in one of these ways:

#if(${INCOMING_MAIL_SERVER_CONFIGURED})

* Reply to this e-mail. Include this message's notification ID in your reply.

#end

* Log in to the ArcSight Console and click the Notification button on the tool bar.

* Log in to ArcSight Web at ${NOTIFICATION_URL} and view the Notifications display.

To view the full alert, please go to ${EVENT_URL}.

*i do not know how to create a second "Informative.vm" called "FortiGate.vm" which will pull only specific fields I choose.  All posts up here do not show clear examples of what info to include and where?  Also, if anyone has templates they are willing to post for Windows Events, Cisco ASA logs, etc.  please do so........

Thank you,

0 Likes
Reply
7 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

For user name:

Source: $introspector.getDisplayValue($event, $introspector.getField("sourceAddress"))

Source User Name: $introspector.getDisplayValue($event, $introspector.getField("sourceUserName"))


For FortiGate:

#if($introspector.getDisplayValue($event, "deviceProduct") == "Fortigate")

#parse("Fortigate.vm")

#else

#parse("Informative.vm")

#end

0 Likes
Reply
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Hello Evgeny,

Thank you for the note.  I changed my Informative.vm file to:

## Informative.vm is a Velocity macro file that serves as a template for the

## informative text that can be included in other notifications.

## This template creates long, detailed messages so it should be used only

## with Email.vm or where appropriate.

## To change the text sent, edit the text below.

## To change the event strings sent, use the values shown in the topic

## "Data Fields" found in Console online Help or Using the ArcSight Console.

=== Event Details ===

Source: $introspector.getDisplayValue($event, $introspector.getField("sourceAddress"))

Source User Name: $introspector.getDisplayValue($event, $introspector.getField("sourceUserName"))


But nothing changed and I did not receive an alert.  Please inform if i am missing something?

0 Likes
Reply
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

You do not get notifications? Or get, but with a different pattern?

0 Likes
Reply
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

No notifications are sent/received.  Mind you copy your Informative.vm and Email.vm?

0 Likes
Reply
Highlighted
Respected Contributor.
Respected Contributor.

John,

Do you still need assistance with this?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Dave, John,

Can you please let me know, why I am not able to ask questions and select the group or place as "ArcSight". It is a mandatory field now but for me it's grayed out. How to reach larger audience for the posts?

Regards,

Amit

0 Likes
Reply
Highlighted
Respected Contributor.
Respected Contributor.

Sounds like something you should ask the administrator of this website.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.