Hi
I have several events that I process as one common event using a flex connector:
Jul 22 08:10:28 02-IBZ-KPXGTW-08 desktop-users-srv[2640834]: 100.000.0.0:33333 c0ad05273533495f VERIFY OK: depth=0, SN=First Name Last Name, GN=First Name Last Name, CN= First Name Last Name, O=Organization location, OU=organization number, title=job title, L=City, ST=Area, street=Street, 12, C=UA, serialNumber=D2860A18EHF2C8A6
Jul 22 08:10:28 02-IBZ-KPXGTW-08 desktop-users-srv[2640834]: 100.000.0.0:33333 2b1b87219c3f3e8e [First Name Last Name] Peer Connection Initiated with [AF_INET] 100.000.0.0:33333
Jul 22 08:10:28 02-IBZ-KPXGTW-08 desktop-users-srv[2640834]: 2baa95c133e13816 MULTI: new connection by client 'Откидач Юлія Ігорівна' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jul 22 08:10:28 02-IBZ-KPXGTW-08 desktop-users-srv[2640834]: c01a044a53b7e127 MULTI: Learn: 100.000.0.0 -> First Name Last Name /100.000.0.0:33333
For processing, I use an extra processor and multiline
my configuration file:
# CEF Parser Configuration File
replace.defaults=true
trim.tokens=true
comments.start.with=#
multiline.starts.regex=(\\w{3} \\d{2} \\d{2}:\\d{2}:\\d{2})\\s(\\S+)\\s(\\S+\\[\\d+\\]):[\\s\\S]*?CN=([^,]+).*
multiline.ends.regex=->\\s.*
regex=(\\w{3} \\d{2} \\d{2}:\\d{2}:\\d{2})\\s(\\S+)\\s(\\S+\\[\\d+\\])(.*)
token.count=4
token[0].name=Date
token[0].type=TimeStamp
token[0].format=MMM dd HH:mm:ss
token[1].name=HostName
token[1].type=String
token[2].name=ServiceId
token[2].type=String
token[3].name=Message
token[3].type=String
additionaldata.enabled=false
event.deviceVendor=__stringConstant(Test)
event.deviceProduct=__stringConstant(Test)
event.endTime=Date
event.deviceHostName=HostName
event.deviceCustomString1=ServiceId
event.message=Message
extraprocessor.count=2
extraprocessor[0].type=regex
extraprocessor[0].filename=dsns_real_extra1
extraprocessor[0].field=event.message
extraprocessor[0].flexagent=true
extraprocessor[0].clearfieldafterparsing=false
extraprocessor[1].type=regex
extraprocessor[1].filename=dsns_real_extra2
extraprocessor[1].field=event.message
extraprocessor[1].flexagent=true
extraprocessor[1].clearfieldafterparsing=false
and extra processor file:
# CEF Parser Configuration File
replace.defaults=true
trim.tokens=true
comments.start.with=#
regex=[\\s\\S]*:\\s(\\d.+):(\\d+)[\\s\\S]*?CN=([^,]+),\\sO=([^,]+),\\sOU=([^,]+),\\stitle=([^,]+),\\sL=([^,]+),\\sST=([^,]+),\\sstreet=([^,]+(?:,\\s[^,]+)?)(?:,\\sC=[^,]+)?[\\s\\S]*?Learn:\\s([^\\s]+).*
token.count=10
token[0].name=SourceAddress
token[0].type=IPAddress
token[1].name=SourcePort
token[1].type=Integer
token[2].name=CN
token[2].type=String
token[3].name=O
token[3].type=String
token[4].name=OU
token[4].type=String
token[5].name=Title
token[5].type=String
token[6].name=L
token[6].type=String
token[7].name=ST
token[7].type=String
token[8].name=Street
token[8].type=String
token[9].name=Destination
token[9].type=IPAddress
additionaldata.enabled=false
event.sourceAddress=SourceAddress
event.sourcePort=SourcePort
event.deviceCustomString2=CN
event.deviceCustomString3=O
event.deviceCustomString4=OU
event.deviceCustomString5=Title
event.deviceCustomString6=L
event.flexString1=ST
event.flexString2=Street
event.deviceAddress=Destination
The problem is that for every incoming event I get a Denial of service event filtering triggered event
As far as I know, this is a reaction to trying to give one of the fields more data than it can hold, but I don't understand in which field this is happening and I wouldn't say that there is too much information going somewhere.
They say that because of this, some data is compressed and may not arrive in full. Please tell me whether this will affect the work of collecting events and whether it is possible to lose part of the information for a certain field/fields?
Thanks in advance
Bohdan