Avaya Aura Communication Manager Modeling Rule

Modeling Rule

Avaya Aura Communication Manager

Details

IDAvaya_Aura_Communication_Manager_ModelingRule
From Version8.4.0

Rules (XIF)

[MODEL: dataset="avaya_communication_manager_raw"]
filter _raw_log !~= ":\s+>#2,"
| alter 
    process_id = arrayindex(regextract(_raw_log, "\[(\d+)\]"), 0),
    process_name = coalesce(
        arrayindex(regextract(_raw_log, "(?:\S+\s+){4}\w+:\s+([\w\-]+)\[\d+") , 0), 
        arrayindex(regextract(_raw_log, "(?:\S+\s+){4}([\w\-]+)") , 0)),
    module_name = rtrim(arrayindex(regextract(_raw_log, "^(?:\S+\s+){5}([\w\(\)\:]+)") , 0), ":"),
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\s*\w+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "^<\d+>\w+\s+\d{1,2}\s+\S+\s+(\S+)"), 0),
    msg = arrayindex(regextract(_raw_log, "(?:\S+\s+){4}\s*(.+)"), 0)
| alter facility_code = floor(divide(syslog_priority, 8))
| alter facility_description = if(facility_code = 0, "kernel messages", facility_code = 1, "user-level messages", facility_code = 2, "mail system", facility_code = 3, "system daemons", facility_code in (4, 10), "security/authorization messages", facility_code = 5, "syslogd", facility_code = 6, "line printer subsystem", facility_code = 7, "network news subsystem", facility_code = 8, "UUCP subsystem", facility_code in (9, 15), "clock daemon", facility_code = 11, "FTP daemon", facility_code = 12, "NTP subsystem", facility_code = 13, "log audit", facility_code = 14, "log alert", facility_code >= 16 and facility_code <= 23, "local")
| alter syslog_severity = to_string(subtract(syslog_priority, multiply(facility_code, 8)))
| alter 
    accessed_web_page = coalesce(
        arrayindex(regextract(msg, "web\s+\S+\s+\d+\s+\w+\s+\S+\s+[sfv\-]:?\S*\s+([^\|]+)"), 0), // web events
        arrayindex(regextract(msg, "web\s+\S+\s{2}\S+\s+\S+\s+[sfv\-]:?\S*\s+([^\|]+)"), 0)), // web events
    accessed_field_name = arrayindex(regextract(msg, "\|\s*(.+?)\s*\|"), 0),  // web events
    accessed_field_value = arrayindex(regextract(msg, "\|[^\|]+\|\s*(.+)"), 0),  // web events
    action_r_status = coalesce( // The status of the action: s: the action was a success. f: the action was a failure other than for a security reason. The letter f could be followed by a colon and an ASCII error code. v: the action was a failure due to a security violation.
        arrayindex(regextract(msg, "sat\s+(?:\S+\s+){5}([sfv]):?\S*\s+"), 0),
        arrayindex(regextract(msg, "web\s+\S+\s+\d+\s+\w+\s+\S+\s+([sfv]):?\S*\s+"), 0), 
        arrayindex(regextract(msg, "web\s+\S+\s{2}\S+\s+\S+\s+([sfv]):?\S*\s+"), 0)),
    action_r_status_reason = coalesce( // //  The letter f could be followed by a colon and an ASCII error code. e.g., f:1234
        arrayindex(regextract(msg, "sat\s+(?:\S+\s+){5}[sfv]:(\S+)\s+"), 0),
        arrayindex(regextract(msg, "web\s+\S+\s+\d+\s+\w+\s+\S+\s+[sfv]:(\S+)\s+"), 0),
        arrayindex(regextract(msg, "web\s+\S+\s{2}\S+\s+\S+\s+[sfv]:(\S+)\s+"), 0)),
    attempt_num = arrayindex(regextract(msg, "Attempt\s+(\d+)") , 0),
    attempt_outcome = arrayindex(regextract(msg, "Attempt\s+\d+\s+(\w+)") , 0),
    ip_evt_reason = arrayindex(regextract(msg, "reason=\s*(.+)"), 0), // IPEVT events 
    msg_outcome = if(msg ~= "fail|error|unsuccess", "fail", msg ~= "success", "success"),
    pid = coalesce(
        arrayindex(regextract(msg, "pid\s+(\d+)\s+\w+") , 0), // defsat: SAT_auth:session events 
        arrayindex(regextract(msg, "\sPID=(\d+)") , 0)), // History events 
    ppid = arrayindex(regextract(msg, "(?:PPID=|session\s+\d+\s+parent\s+)(\d+)") , 0),  // logmanager: SAT_auth:tui03: & History events 
    protocol = coalesce(
        arrayindex(regextract(msg, "from \S+ port \d+ (\w+)"), 0), //sshd events  
        arrayindex(regextract(msg, "via (\w+):"), 0)), // snmpd events
    pwd = arrayindex(regextract(msg, "PWD=(\S+)"), 0), // sudo events 
    session_id = arrayindex(regextract(msg, "session\s+(\d+)\s+parent") , 0),
    sid = coalesce(
        arrayindex(regextract(msg, "Sid\s+([a-fA-F\d]+)\s+\w+") , 0), // logmanager: SAT_auth:tui03: 
        arrayindex(regextract(msg, "\ssat (\d+)") , 0)), // sat events 
    operation = coalesce(
        arrayindex(regextract(msg, "Login\s+\S+\s+Sid\s+\S+\s+(\S+)") , 0), // logmanager: SAT_auth:tui03: 
        arrayindex(regextract(_raw_log, "sat (?:\S+\s+){5}[sfv]\s+\S+\s+(.+)"), 0),
        arrayindex(regextract(msg, "IPEVT\s+(\w+)"), 0)),
    src_board = arrayindex(regextract(msg, "board=(\S+)"), 0), // IPEVT events  
    src_ip = coalesce(
        arrayindex(regextract(msg, "web\s+(\S+)"), 0), // web events 
        arrayindex(regextract(msg, "ip=(\S+)"), 0), // IPEVT events 
        arrayindex(regextract(msg, "rhost\s*\[([^\]]+)"), 0), // pam_asg events 
        arrayindex(regextract(msg, "from (\S+) port \d+"), 0), // sshd events 
        arrayindex(regextract(msg, "\[([^\]]+)\]:\d+\->"), 0), // snmptrapd events 
        arrayindex(regextract(msg, "sat (?:\S+\s+){6}(\S+)"), 0)), // sat events
    src_net_reg = arrayindex(regextract(msg, "net_reg=\s*(\d+)"), 0), // IPEVT events 
    src_port = coalesce(
        arrayindex(regextract(msg, "from \S+ port (\d+)"), 0), // sshd events
        arrayindex(regextract(msg, "\[[^\]]+\]:(\d+)\->"), 0)), // snmpd events 
    user_uid = coalesce(arrayindex(regextract(msg, "(?i)uid=(\d+)"), 0), arrayindex(regextract(msg, "(?:sat|web)\s+\S+\s+(\d+)"), 0)),
    user_profile = coalesce( // The access profile number assigned to the user.
            arrayindex(regextract(msg, "(?:sat(?:\s+\w+){4}|web\s+\S+\s+\d+\s+\w+)\s+(\d+)"), 0),  
            arrayindex(regextract(msg, "web\s+\S+\s{2}\S+\s+(\d+)"), 0)),
    user_uname = coalesce(
        arrayindex(regextract(msg, "(?:sat|web)\s+\S+\s+\d+\s+(\w+)"), 0), // sat & web events
        arrayindex(regextract(msg, "web\s+\S+\s{2}(\w+)"), 0), // web events 
        arrayindex(regextract(msg, "Login for \[([^\]]+)"), 0), // pam_asg events 
        arrayindex(regextract(msg, "(?:Accepted \S+|session \w+) for (?:user )?(\S+)"), 0), // sshd events 
        arrayindex(regextract(msg, "sudo:\s*(\S+)\s*:?"), 0), // sudo events 
        arrayindex(regextract(msg, "Login\s+(\S+)\s+(?:Sid|new session)") , 0), // logmanager: SAT_auth:tui03: events 
        arrayindex(regextract(msg, "for user (\S+)"), 0), // cron events 
        arrayindex(regextract(msg, "user name:(\S+)"), 0), // pam_root_login events 
        if(process_name ~= "(?i)(cron)", arrayindex(regextract(msg, "^\(([^\)]+)"), 0))), // cron events
    target_cmd = coalesce(
        arrayindex(regextract(msg, "CMD\s+\(([^\)]+)"), 0), // cron events  
        arrayindex(regextract(msg, "COMMAND=(.+)"), 0),
        if(process_name = "-bash" or msg ~= "HISTORY", arrayindex(regextract(msg, "UID=\d+\s+(.+)"), 0))), // sudo events 
    target_ip = arrayindex(regextract(msg, "\->\[([^\]]+)\]:\d+"), 0), // snmpd events 
    target_ip_addresses = arrayrange(regextract(msg, "ip=[\sT]?([\d\.\:]+)"), 1, 10), // IPEVT events
    target_port = arrayindex(regextract(msg, "\->\[[^\]]+\]:(\d+)"), 0), // snmpd events 
    target_net_reg = arrayindex(regextract(msg, "net_reg=\s*(\d+)"), 1), // snmpd events 
    target_username = coalesce(
        arrayindex(regextract(msg, "USER=(\S+)"), 0), // sudo events
        if(process_name ~= "(?i)(cron)", arrayindex(regextract(msg, "^\(([^\)]+)"), 0))), // crond events 
    tty = coalesce(
        arrayindex(regextract(msg, "TTY=(\S+)"), 0), // sudo events 
        arrayindex(regextract(msg, "tty\s*\[([^\]]+)"), 0)) // login pam_asg events 
| alter target_ip_addresses = arrayconcat(target_ip_addresses, arraycreate(target_ip))
| alter event_outcome = coalesce(msg_outcome, attempt_outcome)
| alter 
    event_type = if(msg ~= "\s+sat\s+", "SAT", module_name = "web", "Web Activity", module_name = "IPEVT", module_name, module_name ~= ":|HISTORY", concat(process_name, " : ", module_name), process_name),
    event_outcome = if(action_r_status = "s" or event_outcome = "success", XDM_CONST.OUTCOME_SUCCESS, action_r_status in ("f", "v") or event_outcome = "fail", XDM_CONST.OUTCOME_FAILED),
    facility = concat(to_string(facility_code), " (", facility_description, ")"),
    src_ipv4 = if(src_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", src_ip),
    src_ipv6 = if(src_ip ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}", src_ip),
    target_ipv4_addresses = arrayfilter(target_ip_addresses, "@element" ~= "(?:\d{1,3}\.){3}\d{1,3}"),
	target_ipv6_addresses = arrayfilter(target_ip_addresses, "@element" ~= "(?:[a-fA-F\d]{0,4}\:){7}[\wa-fA-F]{0,4}")
| alter 
    xdm.alert.severity = syslog_severity,
    xdm.event.description = msg,
    xdm.event.log_level = if(syslog_severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, syslog_severity = "1", XDM_CONST.LOG_LEVEL_ALERT, syslog_severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, syslog_severity = "3", XDM_CONST.LOG_LEVEL_ERROR, syslog_severity = "4", XDM_CONST.LOG_LEVEL_WARNING, syslog_severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, syslog_severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, syslog_severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, syslog_severity),
    xdm.event.operation_sub_type = operation,
    xdm.event.outcome = event_outcome,
    xdm.event.outcome_reason = coalesce(action_r_status_reason, ip_evt_reason),
    xdm.event.type = event_type,
    xdm.network.ip_protocol = protocol,
    xdm.network.session_id = session_id,
    xdm.observer.type = facility,
    xdm.source.host.device_category = src_board,
    xdm.source.host.device_id = src_net_reg,
    xdm.source.interface = tty,
    xdm.source.ipv4 = src_ipv4,
    xdm.source.ipv6 = src_ipv6,
    xdm.source.host.hostname = syslog_hostname,
    xdm.source.port = to_integer(src_port),
    xdm.source.process.executable.directory = pwd,
    xdm.source.process.name = process_name,
    xdm.source.process.parent_id = coalesce(ppid, sid),
    xdm.source.process.pid = to_integer(coalesce(pid, process_id, session_id)),
    xdm.source.sent_packets = to_integer(attempt_num),
    xdm.source.user.groups = if(user_profile != null, arraycreate(user_profile)),
    xdm.source.user.identifier = user_uid,
    xdm.source.user.username = user_uname,
    xdm.target.host.device_id = target_net_reg,
    xdm.target.host.ipv4_addresses = target_ipv4_addresses,
    xdm.target.host.ipv6_addresses = target_ipv6_addresses,
    xdm.target.ipv4 = arrayindex(target_ipv4_addresses, 0),
    xdm.target.ipv6 = arrayindex(target_ipv6_addresses, 0),
    xdm.target.port = to_integer(target_port),
    xdm.target.process.command_line = target_cmd,
    xdm.target.resource.id = accessed_field_name,
    xdm.target.resource.name = accessed_web_page,
    xdm.target.resource.value = accessed_field_value,
    xdm.target.user.username = target_username;

Schema

avaya_communication_manager_raw

Field Type Array?
_raw_log string
Raw JSON
{
    "avaya_communication_manager_raw": {
        "_raw_log": {
            "type": "string",
            "is_array": false
        }
    }
}