Hi all
I want to return to this question again.
I managed to configure the Flex Connector Regex File so that it doesn't return regex mismatch errors, but events still don't go to the active channel.
Please take a look at my configuration file and tell me what my mistake is.
Configure file:
# JSON Parser Configuration File
replace.defaults=true
trim.tokens=true
comments.start.with=#
regex=\\{\\s*\\"event\\":\\s*\\{\\s*\\"id\\":\\s*\\"([^\\"]+)\\",\\s*\\"timestamp\\":\\s*\\"([^\\"]+)\\",\\s*\\"source\\":\\s*\\{\\s*\\"ip\\":\\s*\\"([^\\"]+)\\",\\s*\\"port\\":\\s*(\\d+)\\s*\\},\\s*\\"destination\\":\\s*\\{\\s*\\"ip\\":\\s*\\"([^\\"]+)\\",\\s*\\"port\\":\\s*(\\d+)\\s*\\},\\s*\\"details\\":\\s*\\{\\s*\\"type\\":\\s*\\"([^\\"]+)\\",\\s*\\"status\\":\\s*\\"([^\\"]+)\\",\\s*\\"username\\":\\s*\\"([^\\"]+)\\",\\s*\\"error_message\\":\\s*\\"([^\\"]+)\\s*\\}\\s*\\}\\s*\\}
token.count=10
token[0].name=id
token[0].type=String
token[1].name=Date
token[1].type=TimeStamp
token[1].format=yyyy-MM-dd HH:mm:ss.SSS
token[2].name=sourceIp
token[2].type=IPAddress
token[3].name=sourcePort
token[3].type=Integer
token[4].name=destinationIp
token[4].type=IPAddress
token[5].name=destinationPort
token[5].type=Integer
token[6].name=detailsType
token[6].type=String
token[7].name=detailsStatus
token[7].type=String
token[8].name=detailsUserName
token[8].type=String
token[9].name=detailsMessage
token[9].type=String
additionaldata.enabled=false
event.deviceVendor=__stringConstant("JSON")
event.deviceProduct=__stringConstant("JSON Parser")
event.deviceExternalId=id
event.endTime=Date
event.sourceAddress=sourceIp
event.sourcePort=sourcePort
event.destinationAddress=destinationIp
event.destinationPort=destinationPort
event.deviceCustomString1=detailsType
event.deviceCustomString2=detailsStatus
event.deviceCustomString3=detailsUserName
event.message=detailsMessage
#severity.map.veryhigh.if.deviceSeverity=10
#severity.map.high.if.deviceSeverity=8..9
#severity.map.medium.if.deviceSeverity=4..7
#severity.map.low.if.deviceSeverity=0..3
Tested events of two formats:
{
"event": {
"id": "1",
"timestamp": "2024-06-24T12:34:56Z",
"source": {
"ip": "192.168.1.1",
"port": 12345
},
"destination": {
"ip": "10.0.0.1",
"port": 80
},
"details": {
"type": "login_attempt",
"status": "failed",
"username": "user1",
"error_message": "Invalid password"
}
}
}
and
{"event": {"id": "1", "timestamp": "2024-06-24T12:34:56Z", "source": {"ip": "192.168.1.1", "port": 12345}, "destination": {"ip": "10.0.0.1", "port": 80}, "details": {"type": "login_attempt", "status": "failed", "username": "user1", "error_message": "Invalid password"}}}
I used the event file with different extensions - .json, .txt
Thanks in advance
Bohdan