File Collection:(Optional) Create Custom Content Typespec

Document created by RSA Information Design and Development on May 9, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 6Show Document
  • View in full screen mode
  

This topic tells you how to create a custom File Collection typespec file.

Context

This topic tells you how to create a custom typespec for the Log Collector. The topic includes:

  • Create Custom Typespec procedure
  • File Collection Typespec Syntax
  • Sample File Collection

Return to Procedures

Procedure

To create a custom typespec file:

  1. Copy an existing typespec file and save it to the same directory.
    For example, copy the apache.xml file from /etc/netwitness/ng/logcollection/content/collection/file and save it under a new name in the same directory.
  2. Modify the file according to your requirements.
  3. Restart the Log Collector.
  4. You will not able to see new device type in Security Analytics until you restart the Log Collector.

File Collection Typespec Syntax

                                                                                                                                                    
SyntaxDescription
<?xml version="1.0" encoding="UTF-8"?>Do not modify this line.
<typespec>Do not modify this line.
<name>eventsource</name><event source="source" name.="name." replace="replace">eventsource with the name of your File event source (for example, apache).  Security Analytics displays this name in the Sources panel of the View > Config > Events Sources tab. </event>
Valid value is an alphanumeric string. You cannot use - (dashes),  _(underscores), or spaces .  The name must be unique across all typespec files in the folder.
<type>file</type>  Event source type (file, odbc, windows, etc.).  Do not modify this line.
<prettyName>event-source-name</prettyName>User-defined name for the event source.  You can use the same value as  name (for example, apache) or use a more descriptive name.
<version>1.0</version>  <</td>Version of this typespec file. Default value is 1.0.
<author>author-name</author>Person who created the typespec file. Replace author-name with your name.
<description>formal-description</description>Formal description of the event source. Replace formal-description with your description of the event source.
<device>Do not modify this line.
<name>event-source</name>Event source name. Replace event-source with the name of your File event source (for example, apache).
</device>Do not modify this line.
<configuration> 
</configuration>
Not used by File collection.
<collection>Do not modify this line.
<file>The syntax under <file> is used for event collection and processing.
<parserId>file.event-source-name</parserId>"Reserved for a future release."
<processorType>processor-type</processorType>Processor type.  Examples of a processor-type are generic, xml, tagvalmap, and oracle. Processor types are similar to handlers in RSA enVision.<</p>
<dataStartLine>n</dataStartLine>n is the number of line in the log file at which Security Analytics start collecting events. Default value is 1.
<fieldDelim>x</fieldDelim>Specify the delimiter to use to separate fields.  Specify any of the following values for x:
  •   || (piping)
  •   ^ (caret)
  •   , (comma)
  •   : (colon)
  •   0x20 (for a space)
<idField>n</idField>Msg ID (message ID) field number. For example, specify 6 for n to identify the sixth field from the space-delimited event as the Msg ID.
<lineDelim>x</lineDelim>Line delimiter that detects the end of an event. For example, specify \n for x to provide values in hex for CR and LF. 
<eventGroups> The syntax under <eventGroups> is only used when processorType = xml.
<eventGroup>Do not modify this line.
<globalInfo></globalInfo>  globalInfo xpath. Reads parent node information and adds it to each level.
<eventXPath>//Audit/AuditRecord</eventXPath>xpath of events
</eventGroup> Do not modify this line.
</eventGroups>End of xml processor type tags. Do not modify this line.
File collection uses the following tags during event transformation:
<transformPrefixTag>prefix</transformPrefixTag>Inserts the specified prefix in front of the transformed event.For example, if you specify APACHE, Security Analytics inserts %APACHE as the prefix.
<transformReplaceFieldDelim>n
</transformReplaceFieldDelim>
Replace/do not replace delimiter during transformation flag. Valid values for n are:
  • 0 (default) = do not replace
  • 1 = replace
<transformPrefixFilename>n
</transformPrefixFilename>
Add/do not add the prefix (for example, APACHE) to the filename during transformation flag. Valid values for n are:
  • 0 (default) = do not add
  • 1 = add
<transformMultipleDelimiterAsOne>n
</transformMultipleDelimiterAsOne>
Combine/do not combine multiple sequential delimiters as one. Valid values for n are:
  •   0 = do not combine
  •   1 (default) = combine
<transformReplacementFieldDelim>x
</transformReplacementFieldDelim>
Replace raw field delimiters with given values (x) if the transformReplaceFieldDelim flag = 1.
</file>Do not modify this line.
</collection>Do not modify this line.
</typespec>Do not modify this line.

Sample File Collection Typespec File

-# Sample apache typespec , file collection

<&lt;?xml>

    <typespec>

    <name>apache</name>             

    <type>file</type>                

    <prettyName>apache</prettyName>  

    <version>1.0</version>           

    <author>administrator</author>    

    <description>FileCollection specification for eventsource type "Apache Web Server" using file handler type "APACHE"</description>  

    <device>

        <name>apache</name>          

 

<   >

    </configuration>

    <collection>

        <file>

        -# below tags are used for event collection and processing

            <parserId>file.apache</parserId>           

            <processorType>generic</processorType>     

            <dataStartLine>1</dataStartLine>          

            <fieldDelim>0x20</fieldDelim>              

            <idField>6</idField>                       

            <lineDelim>\n</lineDelim>                  

        -# below tags are used only when processorType = xml

            <eventGroups>                              

                <eventGroup>

                    <globalInfo></globalInfo>                      

                    <eventXPath>//Audit/AuditRecord</eventXPath>   

                </eventGroup>

            </eventGroups>

        -# xml processortype specific tags ends 

        -# below tags are used during event transformation

            <transformPrefixTag>APACHE</transformPrefixTag>            

            <transformReplaceFieldDelim>0</transformReplaceFieldDelim> 

            <transformPrefixFilename>0</transformPrefixFilename>           

            <transformMultipleDelimiterAsOne>1</transformMultipleDelimiterAsOne>  

            <transformReplacementFieldDelim></transformReplacementFieldDelim>  

        </file>

    </collection>

</typespec>         
You are here
Table of Contents > File Collection Protocol Configuration Guide > Procedures > (Optional) Create Custom Content Typespec for File Collection

Attachments

    Outcomes