How do we properly categorize events with different fields populating needed information to categorize the event?
2017-09-28 15:14:31.930^^AUDIT^^User Management Service^^samplehost^^Logged in. User's last login date updated^^themountain@westoros^^Login^^SUCCESS
Login and success are parsed two different fields. How do we categorize events that have multiple values to properly categorize this. This event would be categorized as :
One of the two :
- Community Thread
- Forum Thread
- Log Parser Tool
- log parsers
- RSA NetWitness
- RSA NetWitness Platform
what inside of the log parser can we do this with? Its not sustainable for any customer to have hundreds/thousands of app rules to manage/deploy (ensure they are consistently deployed).
Yes. We can customize the existing parser using ESI tool. Please use below screenshot for reference.
1. Identify the message ID
2. Then mention Event Category
thats statically assigning values to categories, which is not a good practice. we leverage tag value maps to make our parsers dynamic as possible, the less the amount of header/message parsers the better. So we now have situations where we cannot statically assign a category (successful authentication for instance) to an event that populates event.type = login, and result = successful to two different tags. I need a method where we can use the log parsing engine to properly categorize events that placed in two separate tags, and using some advanced logic to properly categorize events.