Enrichment Sources can be added to an ESA rule by following the SA user guide. However, the additional information does not get added to the Syslog notification.
Modify Syslog template to include the additional data from the Enrichment Sources.
In order to add the information included by an Enrichment Source, please follow the steps below:
Open the ESA rule and make a note of the Enrichment Source name under Enrichment Source column. e.g. TestEnrichment from the following screenshot. Image description
Open the template used for the ESA rule from Administration-System-Global Notifications-Templates.
Add the following line at the top of the file. <#include "macros.ftl">
Add the following line to the desired location within the template. xxx=<@event_meta_last "yyy"/> <#t> where xxx is any string value to indicate the start of the added information and yyy is the Enrichment Source name noted from step 1.
Save the template and monitor the syslog messages.
If the syslog messages still do not include the new information, modify the ESA rule to use another template, save, select the correct template, save and deploy the rule to ensure the deployed rule uses the right template.
With a csv file containing the following information- address string,criticality integer,department string 10.10.10.1,1,SALES
and Criticality=<@event_meta_last "TestEnrichment"/> <#t> added to the syslog template, the following line will be added to the syslog message. ... Criticality=address=10.10.10.1;criticality=1;department=SALES ...