Professional Documents
Culture Documents
Configuration file holds the flex parser which will be used to parse the
raw logs
There are 4 steps to creating a FlexConnector configuration file
Define a parsing mechanism
Identify and name tokens
Map tokens to ArcSight schema
Map device severity to ArcSight severity
FLEX CONFIGURATION FILE LOCATION
(IMPORTANT)
Log file Flexconnector -For fixed format ,delimited log file (real time log
collection)
Regex Log file –For variable format log file(real time log collection)
Regex folder follower- To read logs in batch mode
Regex Multiple Folder Follower -Read logs from multiple folder (Real
time and Batch mode)
Time-based Flexconnector -Read event info from tables based on
timestamp value
ID based Flexconnector -Read event info from tables based on ID value
SELECTING A FLEX CONNECTOR TYPE
Syslog
My application: Intruder Detected from 1.1.1.1 to 2.2.2.2 High
SAMPLE CONFIGURATION FILE
Parsing Mechanism
Token declaration
Event mapping with ArcSight Schema
Severity Mapping
Extra processor
TOKEN DECLARATION
Integer
Date
IPAddress
Long
MacAddress
RegexToken
String
Time
TimeStamp
EVENT MAPPING
For Example
event.name=Token1
event.message=Token2
SEVERITY MAPPING
Example
event.deviceSeverity=Token1
severity.map.veryhigh.if.deviceSeverity=23,54
severity.map.low.if.deviceSeverity=56
severity.map.medium.if.deviceSeverity=64
CONSOLIDATED CONFIGURATION FILE
comments.start.with=#
delimiter=,
token.count=1
token[0].name=Time_of_the_event
token[0].type=TimeStamp
token[0].format=yyyy-MM-dd HH:mm:ss
token[1].name=ClientIp
token[1].type=IPAddress
token[2].name=Method
token[2].type=String
token[3].name=URL
token[3].type=String
token[4].name=Status
token[4].type=String
event.deviceReceiptTime=Time_of_the_event
event.sourceAddress=ClientIp
event.deviceSeverity=Status
event.requestUrl=URL
event.requestMethod=Method
event.deviceVendor=__getVendor(“MyVendor”)
event.deviceProduct=__stringConstant(“MyProduct”)
severity.map.veryhigh.if.deviceSeverity=404,500
severity.map.medium.if.deviceSeverity=303,302
DATABASE FLEX CONNECTOR
Example
Time based Connector
Example
token.count=5
token[0].name=Timestamp
token[0].type=TimeStamp
token[0].format=MMM dd HH\:mm\:ss
token[1].name=PixIP
token[1].type=IPAddress
token[2].name=PixSeverity
token[2].type=String
token[3].name=SubmessageIdToken
token[3].type=String
token[4].name=SubmessageToken
token[4].type=String
EXAMPLE CONTINUED
submessage.messageid.token=SubmessageIdToken
-identifies the token that will hold the message identifier
submessage.token=SubmessageToken
-token that containsthe actual sub-message
submessage.count=1
-sub-message IDs (106015)
Submessage[0].messageid=106015
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=Deny (\\S+) \\(no connection\\)
submessage[0].pattern[0].fields=event.transportProtocol
submessage[0].pattern[0].types=String
CONDITIONAL MAPPING
Scenario:
Event id is 532 or 534, set the ArcSight event field
event.sourceAddress to 3.3.3.3 and if the event id is 533, set
the event.sourceUserName to root.
EXAMPLE
conditionalmap.count=2
conditionalmap[0].field=event.deviceCustomString3
conditionalmap[0].mappings.count=2
conditionalmap[0].mappings[0].values=04
conditionalmap[0].mappings[0].event.deviceEventClassId=__stringConstant("Posted")
conditionalmap[0].mappings[1].values=03
conditionalmap[0].mappings[1].event.deviceEventClassId=__stringConstant("Pending")
conditionalmap[1].field=event.deviceAction
conditionalmap[1].mappings.count=2
conditionalmap[1].mappings[0].values=01
conditionalmap[1].mappings[0].event.name=__stringConstant("Internal Account
Transfer")
conditionalmap[1].mappings[1].values=02
conditionalmap[1].mappings[1].event.name=__stringConstant("External Account
Transfer")
EXTRA PROCESSOR
extraprocessor.count=1
extraprocessor[0].type=regex
extraprocessor[0].filename=netiq/netaiq
extraprocessor[0].field=event.message
extraprocessor[0].flexagent=true
extraprocessor[0].clearfieldafterparsing=false
EXTRA PROCESSOR TYPE
EXAMPLE
extraprocessor.count=2
extraprocessor[0].type=regex
extraprocessor[0].field=event.message
extraprocessor[0].filename=DataSetParser
extraprocessor[0].clearfieldafterparsing=false
extraprocessor[0].flexagent=true
extraprocessor[1].type=regex
extraprocessor[1].field=event.message
extraprocessor[1].filename=DataSetParser1
extraprocessor[1].clearfieldafterparsing=false
extraprocessor[1].flexagent=true
MULTILINE REGEX
To support multi-line messages, we need to define the message start and
end in the configuration file
SAMPLE MULTILINE LOG FILE
|01/01/2005 11:00:50|1.1.1.1|7663|2.2.2.2|80|this
is
a
message
that
takes
multiple
lines|
01/01/2005 11:00:51|1.1.1.1|7663|2.2.2.2|80|this
is another large message that takes
multiple lines|
SAMPLE
multiline.starts.regex=\|\d+/\d+/\d+ \d+:\d+:\d+\|.*
multiline.ends.regex=.*\|$
Output:-
multiline.starts.regex=\\|\\d+/\\d+/\\d+
\\d+\:\\d+\:\\d+\\|.*
regex=\\|(.*?)\\|(\\S+)\\|(\\d+)\\|(\\S+)\\|(\\d+)\\|(.*)|
token.count=6
token[0].name=Timestamp
token[0].type=TimeStamp
token[0].format=MM/dd/yyyy HH\:mm\:ss
token[1].name=SourceAddress
token[1].type=IPAddress
token[2].name=SourcePort
FUTURE CONCEPTS