Rules (XIF)
[MODEL: dataset=hpe_switch_raw]
/* -------------------------------------------------------------------------------------------------------------------
Event Log Reference:
https://www.arubanetworks.com/techdocs/AOS-Switch/16.10/Aruba%20Event%20Log%20Message%20Reference%20Guide%20for%20AOS-S%20Switch%2016.10.pdf
------------------------------------------------------------------------------------------------------------------*/
filter _raw_log !~= "%\S+\-\d\-\S+:" and _raw_log !~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+(?:Z|[\+\-]\d{2}:\d{2})" // exclude AOS-CX (ISO-8601 timestamped) logs handled in the dedicated block below
| alter // Extract the common message parts
device_ip = arrayindex(regextract(_raw_log, "^.+?((?:\d{1,3}\.){3}\d{1,3})(?:\s+\d+)? \S+?: "), 0),
event_id = to_integer(ltrim(arrayindex(regextract(_raw_log, "\s+(\d+)\s+\S+?:\s+") , 0), "0")),
facility = uppercase(arrayindex(regextract(_raw_log, "\s+(\S+?):\s+") , 0)),
msg = arrayindex(regextract(_raw_log, "\s+\S+?:\s+(.+)") , 0),
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>") , 0))
| alter severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter // Extract the varying dynamic fields from the message payload
access_mode = if(
event_id in (2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3216, 3217, 3218, 3356, 3357), arrayindex(regextract(msg, "^(\S+) client"), 0),
event_id in (3351, 3352, 3353, 3354, 3355), arrayindex(regextract(msg, "^(\S+)\s*\:"), 0),
event_id in (3211, 3212, 3213), arrayindex(regextract(msg, "received on port \S+ for (\S+) client"), 0),
event_id = 3350, arrayindex(regextract(msg, "^(\S+) unable to permit client"), 0),
event_id in (5212, 5213, 5722, 5724, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "to (\S+) client"), 0)),
cmd = if(
event_id in (992, 993), arrayindex(regextract(msg, "command (.+)\."), 0),
event_id in (3393, 3394), arrayindex(regextract(msg, "[Cc]ommand (.+) is"), 0)),
dhcp_server_ip = if(event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip ((?:\d{1,3}\.){3}\d{1,3})"), 0)),
gateway_ip = if(event_id = 5451, arrayindex(regextract(msg, "vlan \S+ \(?(\S+)\)?"), 0)),
gateway_name = if(event_id in (5595, 5596, 5597, 5598, 5599, 5600), arrayindex(regextract(msg, "gateway (\S+)"), 0)),
ip_mask = if(
event_id = 17, arrayindex(regextract(msg, "mask ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
event_id in (25, 26), arrayindex(regextract(msg, "address ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
event_id = 753, arrayindex(regextract(msg, "failure\:\s*((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0)),
mac_address = if(
event_id = 5, arrayindex(regextract(msg, "at ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (20, 21, 288, 334, 5681, 5682, 5683, 5684, 5731), arrayindex(regextract(msg, "(?:mac|MAC)[\s\-]+(?:address|ADDRESS) ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (845, 952, 958, 959, 960, 961, 2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3273, 3274, 3281, 3283, 3350, 3356, 3357, 3822, 4987), arrayindex(regextract(msg, "(?:mac|MAC)\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 2581, arrayindex(regextract(msg, "MAC address of ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (354, 858), arrayindex(regextract(msg, "address ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 348, arrayindex(regextract(msg, "error:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 352, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) moved from"), 0),
event_id = 353, arrayindex(regextract(msg, "Received Update Packet from ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 355, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) MISMATCH"), 0),
event_id = 451, arrayindex(regextract(msg, "Upgrade ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 452, arrayindex(regextract(msg, "config with ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (453, 3282), arrayindex(regextract(msg, "switch ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (592, 594), arrayindex(regextract(msg, "\S+\s*:\s*(?:Move )?((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (613, 2209), arrayindex(regextract(msg, "MAC add for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5212, 5213, 5411, 5722, 5724), arrayindex(regextract(msg, "to ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (839, 3816), arrayindex(regextract(msg, "from \S+\s*:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (870, 2690, 4548, 4556, 4565), arrayindex(regextract(msg, "from\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 915, arrayindex(regextract(msg, "source:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (979, 4588, 4880), arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) on port"), 0),
event_id = 2431, arrayindex(regextract(msg, "multicast ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 714, 716, 718, 719, 720, 721, 722, 856, 2539, 2540, 2541, 3211, 3212, 3213, 3214, 3215, 3216, 3217, 3218, 3351, 3352, 3355, 3358, 4575, 5563, 5619, 5620, 5621, 5723, 5726, 5743, 5744, 5747, 5748, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5906, 5907, 5940, 5941), arrayindex(regextract(msg, "(?:client|Client):?\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (2720, 3354, 4590, 5385), arrayindex(regextract(msg, "for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 3280, arrayindex(regextract(msg, "Member ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (4572, 4573, 4874), arrayindex(regextract(msg, "packet ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id = 4980, arrayindex(regextract(msg, "got ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5120, 5121, 5143, 5144, 5145, 5146), arrayindex(regextract(msg, "device ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5122, 5123), arrayindex(regextract(msg, "Aruba AP ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
event_id in (5406, 5407), arrayindex(regextract(msg, "user ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
coalesce( // default fallback
arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0))),
outcome_reason = if(
event_id in (5076, 5230, 5240, 5244, 5246, 5261), rtrim(arrayindex(regextract(msg, "[Ee]rror:?\s*(?:\=?\s*)?(.+)"), 0), "."),
event_id in (2204, 5254), arrayindex(regextract(msg, "error:?\s*(?:\=?\s*)?(.+) (?:occurred|on)"), 0),
event_id = 5682, arrayindex(regextract(msg, "reason (.+)\-\s*server"), 0),
event_id = 5222, arrayindex(regextract(msg, "server:\s*(.+)"), 0),
event_id in (5236, 5239, 5243, 5247, 5248, 5249, 5250, 5251, 5233, 5234), arrayindex(regextract(msg, "with error (?:\=\s*)(.+)"), 0),
event_id in (5241, 5242), arrayindex(regextract(msg, "string is (.+)"), 0),
event_id in (132, 134, 4187, 4188), arrayindex(regextract(msg, "msg:? (.+)"), 0),
event_id = 542, arrayindex(regextract(msg, "Skipped:\s*(.+)"), 0),
event_id in (2614, 2218), arrayindex(regextract(msg, "failed:\s*(.+)"), 0),
event_id = 609, arrayindex(regextract(msg, "from \S+ \(?(.+?)\)?\s*\-"), 0),
event_id = 2419, arrayindex(regextract(msg, "Received (.+) packet"), 0),
event_id in (5081, 5619), arrayindex(regextract(msg, " as (\.+)\."), 0),
event_id in (5602, 5604, 5606, 5623, 5867, 5869), arrayindex(regextract(msg, "because of (.+)\."), 0),
event_id = 158, arrayindex(regextract(msg, "line \S+\s*(.+)"), 0),
event_id in (686, 687, 3032, 3033, 3841, 3842, 3843), msg,
event_id in (3380, 3381), arrayindex(regextract(msg, "ERR:\s*(.+)"), 0),
event_id in (648, 2007, 2413, 3370), arrayindex(regextract(msg, "failed:?\s*(.+)"), 0),
event_id = 4252, arrayindex(regextract(msg, "start:\s*(.+)"), 0),
event_id = 3258, arrayindex(regextract(msg, "failed due to \s*(.+)"), 0),
event_id = 655, arrayindex(regextract(msg, "VLAN\.\s*(.+)"), 0),
event_id = 669, arrayindex(regextract(msg, "caution (.+)"), 0),
event_id = 5620, arrayindex(regextract(msg, "role (.+)"), 0),
event_id in (3152, 3278, 3279, 4872, 5407, 5408), arrayindex(regextract(msg, "[Rr]eason:?\s*(.+)"), 0),
event_id = 63, arrayindex(regextract(msg, "down:\s*(.+)"), 0),
event_id = 273, arrayindex(regextract(msg, "\S+\s*\-\s*(.+)"), 0),
event_id = 4892, arrayindex(regextract(msg, "Got (.+)\."), 0),
event_id = 3006, arrayindex(regextract(msg, "reboot: (.+)"), 0),
event_id in (4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949), arrayindex(regextract(msg, "failed\s*;\s*(.+)"), 0)),
policy_name = if(
event_id = 5816, arrayindex(regextract(msg, "list \'(.+?)\'"), 0),
event_id = 5817, arrayindex(regextract(msg, "class \'(.+?)\'"), 0),
event_id in (2655, 2659, 2661), arrayindex(regextract(msg, "apply \'(.+?)\'"), 0),
event_id in (2637, 2638, 2652, 2653, 2654, 2656, 3025, 5215, 5745, 5746), arrayindex(regextract(msg, "[Pp]olicy (?:is\s+)?\'(.+?)\'"), 0)),
interface_port_id = if(
event_id in (76, 77, 324, 725, 826, 827, 828, 840, 841, 844, 848, 849, 884, 885, 886, 887, 888, 889, 927, 972, 975, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4584, 4593, 4646, 4647, 5161, 5162, 5834), arrayindex(regextract(msg, "^[Pp]ort ([\w\/]+)"), 0),
event_id in (725, 826, 827, 848, 849, 885, 927, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4646, 4647, 5161, 5162), arrayindex(regextract(msg, "^Port ([\w\/]+) (?:with|released|changed|inhibited|blocked|unblocked|disabled|has|is|\-)"), 0),
event_id in (346, 347, 348, 350, 351, 353, 356, 447), arrayindex(regextract(msg, "^([\w\/]+)\s*[\-]+\s*(?:ACK|Received|detected|initialized|established|not established)"), 0), //
event_id in (822, 823), arrayindex(regextract(msg, "^(?:Created|Deleted) ([\w\/]+)"), 0),
event_id in (883, 3381, 3815), arrayindex(regextract(msg, "Port ([\w\/]+) (?:has|communications|moved)"), 0),
event_id in (2640, 2641, 2642, 2643, 2644), arrayindex(regextract(msg, "src I\/F ([\w\/]+) (?:is|has)"), 0),
event_id in (4667, 4670), arrayindex(regextract(msg, "on Interface ([\w\/]+)"), 0),
event_id = 357, arrayindex(regextract(msg, "^([\w\/]+) load balance version"), 0),
event_id = 444, arrayindex(regextract(msg, "^([\w\/]+): received"), 0),
event_id = 453, arrayindex(regextract(msg, "detected on ([\w\/]+)"), 0),
event_id = 520, arrayindex(regextract(msg, "Ports ([\w\/]+):"), 0),
event_id = 592, arrayindex(regextract(msg, "Move \S+ to ([\w\/]+) denied"), 0),
event_id = 825, arrayindex(regextract(msg, "PORT-MAP (?:removed from|added to) ([\w\/]+)"), 0),
event_id = 2639, arrayindex(regextract(msg, "from ([\w\/]+) interface"), 0),
event_id = 4573, arrayindex(regextract(msg, "Invalid DHCPv6 packet \S+\.?\s*([\w\/]+)"), 0),
event_id = 4633, arrayindex(regextract(msg, "Mac-notify traps ([\w\/]+)"), 0),
event_id = 4986, arrayindex(regextract(msg, "enabled port ([\w\/]+)"), 0),
event_id = 5052, arrayindex(regextract(msg, "^Configuration conversion for \S+ ([\w\/]+)"), 0),
arrayindex(regextract(msg, "\s+[Pp]ort ([\w\/]+)"), 0)), // General fall back
src_ip = if(
event_id in (3, 3087, 5328), arrayindex(regextract(msg, "to (\S+)"), 0),
event_id in (11, 91, 97, 98, 99, 112, 236, 237, 419, 468, 469, 470, 609, 610, 611, 618, 619, 620, 621, 622, 636, 637, 639, 640, 754, 982, 983, 984, 985, 2205, 2206, 2207, 2210, 2211, 2219, 2220, 2419, 2420, 2421, 2422, 2425, 2667, 2684, 2686, 3310, 3311, 3318, 3345, 3362, 3363, 3387, 3390, 4215, 4216, 4241, 4242, 4244, 4245, 4281, 4542, 4558, 456, 4575, 4832, 4834, 4872, 4873, 5005, 5006, 5016, 5312, 5313, 5314, 5329, 5653), arrayindex(regextract(msg, "from (\S+)"), 0),
event_id in (12, 13, 3167), arrayindex(regextract(msg, "on (\S+)"), 0),
event_id in (16, 86, 748, 749, 2430, 2581, 2582, 3130, 4243, 4261, 4263, 4276, 4782, 4875, 5025, 5026, 5034, 5177, 5358), arrayindex(regextract(msg, "[Aa]ddress:? (\S+)"), 0),
event_id in (612, 2208, 5017), arrayindex(regextract(msg, "from rtr (\S+)"), 0),
event_id in (614, 623), arrayindex(regextract(msg, "flow (\S+)"), 0),
event_id in (617, 625, 626, 628, 694, 695, 696, 806, 917, 5013), arrayindex(regextract(msg, "IP (\S+)"), 0),
event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*\S+\s*\-?\s*s?\s*(\S+)"), 0),
event_id in (850, 854, 3319, 3320, 4546, 4913, 5401), arrayindex(regextract(msg, "(?:Server|server) (\S+)"), 0),
event_id in (864, 4552), arrayindex(regextract(msg, "[Rr]eading (\S+)"), 0),
event_id in (979, 4877, 4880), arrayindex(regextract(msg, "for (\S+),?"), 0),
event_id in (981, 4589), arrayindex(regextract(msg, "Access denied (\S+)\s*\-\>"), 0),
event_id in (2214, 2215, 2221, 2416, 2418, 2423, 2639, 2645, 2646, 2647), arrayindex(regextract(msg, "addr:? (\S+)"), 0),
event_id in (2530, 2668), arrayindex(regextract(msg, "Client \'?(\S+)\'?"), 0),
event_id in (4781, 4783), arrayindex(regextract(msg, "interface (\S+)\.?"), 0),
event_id in (4961, 4962, 4966), arrayindex(regextract(msg, "device (\S+)"), 0),
event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Source IPv4 \S+\:\s*(\S+)"), 0),
event_id in (5059, 5060, 5061, 5062, 5063, 5233, 5310), arrayindex(regextract(msg, "^\s*(\S+)"), 0),
event_id in (5304, 5305, 5306, 5307, 5308, 5309, 5315, 5316, 5317, 5318), arrayindex(regextract(msg, "peers\s*(\S+)"), 0),
event_id in (5402, 5403), arrayindex(regextract(msg, "is (\S+)\.?"), 0),
event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "source IP:\s*(\S+)\-?"), 0),
event_id = 5, arrayindex(regextract(msg, "^ARP:\s*(\S+)"), 0),
event_id = 17, arrayindex(regextract(msg, "mask (\S+)"), 0),
event_id = 8, arrayindex(regextract(msg, "Source:\s*(\S+)"), 0),
event_id = 805, arrayindex(regextract(msg, "block (\S+)"), 0),
event_id = 908, arrayindex(regextract(msg, "ipAddr:\s+(\S+)"), 0),
event_id = 911, arrayindex(regextract(msg, ",?\s*(\S+) port"), 0),
event_id = 2669, msg,
event_id = 4638, arrayindex(regextract(msg, "as (\S+)\.?"), 0),
event_id = 4878, arrayindex(regextract(msg, "binding (\S+)"), 0),
event_id = 5226, arrayindex(regextract(msg, "Activate (\S+)"), 0)),
tgt_ip = if(
event_id in (119, 411, 5181, 5182, 5183, 5184, 5845), arrayindex(regextract(msg, "server\s+(\S+)"), 0),
event_id in (120, 122, 413, 416), arrayindex(regextract(msg, "server at\s+(\S+)"), 0),
event_id in (747, 3340, 3341, 3342, 5226, 5649), arrayindex(regextract(msg, "to (\S+)"), 0),
event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*(\S+)"), 0),
event_id in (866, 4554), arrayindex(regextract(msg, "[Ww]riting (\S+)"), 0),
event_id in (981, 4589), arrayindex(regextract(msg, "Access denied \S+\s*\-\>(\S+)"), 0),
event_id in (3876, 5809), arrayindex(regextract(msg, "address (\S+)"), 0),
event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Destination IPv4 \S+\:\s*(\S+)"), 0),
event_id in (5311, 5405, 5408, 5419, 5421, 5422), arrayindex(regextract(msg, "[Cc]ontroller (\S+)[,\.]?"), 0),
event_id in (5404, 5406), arrayindex(regextract(msg, "Controller \S+ (\S+)\.?"), 0),
event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "destination IP:\s*(\S+)\-?"), 0),
event_id in (5685, 5686), arrayindex(regextract(msg, "\s+ip (\S+)"), 0),
event_id = 8, arrayindex(regextract(msg, "Target:\s*(\S+)"), 0),
event_id = 420, arrayindex(regextract(msg, "reach (\S+) server"), 0),
event_id = 315, arrayindex(regextract(msg, "target IP\s+(\S+)"), 0),
event_id = 317, arrayindex(regextract(msg, "Target IP address\s+(\S+)"), 0),
event_id = 630, arrayindex(regextract(msg, "group\s+(\S+)"), 0),
event_id = 631, arrayindex(regextract(msg, "to SUBSYSTEM\s+(\S+)"), 0),
event_id = 2631, arrayindex(regextract(msg, "at (\S+)\.?"), 0),
event_id = 4541, arrayindex(regextract(msg, "configure (\S+)"), 0),
event_id = 5451, arrayindex(regextract(msg, "^\s*(\S+)"), 0),
event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip (\S+)"), 0),
event_id = 5744, arrayindex(regextract(msg, "subscriber (\S+)"), 0),
event_id = 5812, arrayindex(regextract(msg, "Fqdn (\S+)"), 0)),
tgt_user = if(
event_id = 3368, arrayindex(regextract(_raw_log, "oldest user (\S+)") , 0),
event_id = 3386, arrayindex(regextract(_raw_log, "modified for user ([^\.]+)") , 0),
event_id = 4940, arrayindex(regextract(_raw_log, "^Password for user (\S+) (?:has )?expired") , 0),
event_id in (3391, 3392), arrayindex(regextract(_raw_log, "Local user (\S+) is") , 0)), // users added/removed to/from group
tgt_mac_address = if(event_id = 913, arrayindex(regextract(msg, "dest:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0)),
username = if(
event_id in(3362, 3363, 4241, 4242, 3369, 4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949, 4951, 4952, 5005, 5006, 5007, 3387, 4930, 4938, 4939, 5826), arrayindex(regextract(msg, "^User \'?([\w\\]+)\'? (?:logged|logout|from|password|has logged|is logged|has been logged|denied access)"), 0),
event_id in (186, 468, 469, 470, 640, 2667, 2710, 2714, 2715, 2716, 2717, 3310, 3311, 3318, 3340, 3341, 3342, 3343, 3344, 3345, 3440, 3444, 4244, 4245, 4248, 5553, 5555, 5765, 5825, 5827, 5828, 5829), arrayindex(regextract(msg, "^User\s*\:?\s*\'?([\w\\]+)\'?\s*\:"), 0),
event_id in (419, 5008, 639, 992, 993, 3390, 4940, 4941), arrayindex(regextract(msg, "[Uu]ser \'?([\w\\]+)\'? (?:is (?:trying|logged|added|deleted)|command|logged|has|expired)"), 0),
event_id = 4950, arrayindex(regextract(msg, "History records cleared for \'?([\w\\]+)\'? user") , 0),
event_id = 236, arrayindex(regextract(msg, "community name or user name\s*[,\:]?\s*\'?([\w\\]+)\'?"), 0),
event_id = 5815, arrayindex(regextract(msg, "^The user name \'?([\w\\]+\'?)"), 0),
event_id = 5940, arrayindex(regextract(msg, "Authentication aborted for(?: client \S+)? user \'?([\w\\]+)\'?\."), 0),
event_id = 5681, arrayindex(regextract(msg, "userName \'?([\w\\]+)\'?\-?\s*authType"), 0),
event_id = 5749, arrayindex(regextract(msg, "username \'?([\w\\]+)\'? or password"), 0),
event_id = 4831, arrayindex(regextract(msg, "limit is reached for \'?([\w\\]+)\'?\."), 0),
event_id = 2668, arrayindex(regextract(msg, "for the User \'?([\w\\]+)\'?\."), 0),
event_id = 5409, arrayindex(regextract(msg, "for user (\S+):") , 0)),
user_role = if(
event_id in (5204, 5205, 5206, 5207, 5208, 5209, 5210, 5211, 5212, 5213, 5411, 5412, 5619, 5563, 5717, 5722, 5724, 5725, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "user[\s\-]+role \'?(.+?)\'? (?:to|has|with|is|\.)"), 0),
event_id in (3391, 3392, 3393, 3394), arrayindex(regextract(msg, "group \'?(.+?)\'?\s*\."), 0),
event_id in (5620, 5621), arrayindex(regextract(msg, "^\'?(.+?)\'? client"), 0),
event_id in (5715, 5716), arrayindex(regextract(msg, "^Initial role \'?(.+?)\'? is"), 0)),
vlan_id = if(
event_id in (1,2), arrayindex(regextract(msg, "^(\d+) virtual LAN"), 0),
event_id = 316, arrayindex(regextract(msg, "^VLAN ID out of range \(?(\d+)"), 0),
event_id = 964, arrayindex(regextract(msg, "^Failed to allocate memory for (\d+)"), 0),
event_id = 3815, arrayindex(regextract(msg, "^(\d+) \S+ Port \S+ moved"), 0),
event_id = 3824, arrayindex(regextract(msg, "^GVRP could not create (\d+) because"), 0),
event_id = 3826, arrayindex(regextract(msg, "^GVRP could not add port \S+ to (\d+)"), 0),
event_id = 3828, arrayindex(regextract(msg, "^Port \S+ unblocked on (\d+)"), 0),
event_id = 4588, arrayindex(regextract(msg, "^Unable to add binding for (\d+)"), 0),
arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)) // default fallback
| alter // Post Extraction Processing
formatted_mac_address = arraystring(regextract(mac_address, "[\da-fA-F]{2}"), ":"),
formatted_tgt_mac_address = arraystring(regextract(tgt_mac_address , "[\da-fA-F]{2}"), ":"),
gw_ipv4 = arrayindex(regextract(gateway_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
gw_ipv6 = arrayindex(regextract(gateway_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
src_ipv4 = arrayindex(regextract(src_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
src_ipv6 = arrayindex(regextract(src_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
tgt_ipv4 = arrayindex(regextract(tgt_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0),
tgt_ipv6 = arrayindex(regextract(tgt_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
tgt_user_domain = arrayindex(regextract(tgt_user, "(.+)\\.+"), 0),
user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM Mappings
xdm.alert.severity = severity,
xdm.auth.auth_method = access_mode,
xdm.event.description = msg,
xdm.event.id = to_string(event_id),
xdm.event.is_completed = if(
event_id in (91, 375, 666, 734, 2552, 2568, 2802, 3318, 3802, 4762), to_boolean("FALSE"),
event_id in (93, 94, 131, 150, 202, 376, 667, 735, 796, 2553, 2558, 2569, 2803, 3310, 3803, 4050, 4066, 4185, 4215, 4763, 5024, 5033, 5034, 4612), to_boolean("TRUE")),
xdm.event.log_level = if(
severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY,
severity = "1", XDM_CONST.LOG_LEVEL_ALERT ,
severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL,
severity = "3", XDM_CONST.LOG_LEVEL_ERROR,
severity = "4", XDM_CONST.LOG_LEVEL_WARNING,
severity = "5", XDM_CONST.LOG_LEVEL_NOTICE,
severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL,
severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
xdm.event.outcome = if(
msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.outcome_reason = outcome_reason,
xdm.event.type = facility,
xdm.intermediate.host.hostname = gateway_name,
xdm.intermediate.ipv4 = device_ip,
xdm.intermediate.ipv6 = gw_ipv6,
xdm.intermediate.host.ipv4_addresses = arraycreate(device_ip, gw_ipv4),
xdm.intermediate.host.ipv6_addresses = arraycreate(gw_ipv6),
xdm.network.dhcp.siaddr = dhcp_server_ip,
xdm.network.rule = policy_name,
xdm.observer.type = facility,
xdm.observer.unique_identifier = device_ip,
xdm.source.host.mac_addresses = if(formatted_mac_address != null, arraycreate(formatted_mac_address)),
xdm.source.ipv4 = src_ipv4,
xdm.source.ipv6 = src_ipv6,
xdm.source.subnet = ip_mask,
xdm.source.user.domain = user_domain,
xdm.source.user.groups = if(user_role != null, arraycreate(user_role)),
xdm.source.user.username = username,
xdm.source.vlan = to_integer(vlan_id),
xdm.target.host.mac_addresses = if(formatted_tgt_mac_address != null, arraycreate(formatted_tgt_mac_address)),
xdm.target.process.command_line = cmd,
xdm.target.interface = to_string(interface_port_id),
xdm.target.ipv4 = tgt_ipv4,
xdm.target.ipv6 = tgt_ipv6,
xdm.target.user.domain = tgt_user_domain,
xdm.target.user.username = tgt_user;
/* -----------------------------------------------------------
Event Log Alternative Format:
seq no:timestamp: %facility-severity-MNEMONIC:description
----------------------------------------------------------*/
filter _raw_log ~= "%\S+\-\d\-\S+:"
| alter // Extract the common message parts
sequence_number = arrayindex(regextract(_raw_log, "^\<\d+\>(\d+):") , 0),
facility = arrayindex(regextract(_raw_log, "%(.+?)\-\d+\-\S+?:") , 0),
severity = arrayindex(regextract(_raw_log, "%.+?\-(\d+)\-\S+?:") , 0),
event_name_mnemonic = arrayindex(regextract(_raw_log, "%.+?\-\d+\-(\S+?):") , 0),
msg = arrayindex(regextract(_raw_log, "\s+\S+?:\s+(.+)") , 0)
| alter // extract dynamic fields from the syslog message description
client_mac_address = coalesce(
arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0)),
device_hostname = arrayindex(regextract(_raw_log ,"\<\d+\>\d+\:\s([\w+\-\_]+)\:\s\d+\:"), 0),
device_product_id = arrayindex(regextract(msg ,"\[PID\:([^\,]+)\,"), 0),
device_serial_number = arrayindex(regextract(msg , ",SN\:([\w\-]+)"), 0),
interface_port_id = coalesce(
arrayindex(regextract(msg ,"Interface\s([^\/]+\/\d+\/*\d*)"), 0),
arrayindex(regextract(msg ,"interface\sname\s([^\/]+\/\d+\/\d+)"), 0),
arrayindex(regextract(msg , "Interface\s([\w\-]+)"), 0),
arrayindex(regextract(msg , "on interface\s+(\S+)\s+by"), 0),
arrayindex(regextract(msg , "(?:on|port|Unblocking|Blocking)\s+(\w+\/\w+\/\w+)"), 0),
arrayindex(regextract(msg , "^(\w+\/\w+\/\w+):"), 0)),
outcome_reason = coalesce(
arrayindex(regextract(msg, "\sreason:\s*(.+?)\."), 0),
arrayindex(regextract(msg, "with reason\s*\(([^\)]+)\)"), 0),
arrayindex(regextract(msg, "\[Reason:\s*([^\]]+)\]"), 0)),
process_name = coalesce(
arrayindex(regextract(msg ,"by\sprocess\s(.+?)\s+(?:Process|Policy\smanager)"), 0),
arrayindex(regextract(msg ,"process\s*\=\s*([^\.]+)\."), 0)),
server_ipv4 = arrayindex(regextract(msg, "[Ss]erver(?:\s+not\s+found)?(?:\s+at)?\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
server_name = arrayindex(regextract(msg, "Server\s+([\w\-]+)\s+is"), 0),
session_id = coalesce(
arrayindex(regextract(msg, "AuditSessionID (\w+)"), 0),
arrayindex(regextract(msg, "session (\w+)\("), 0)),
source_ipv4 = coalesce(
arrayindex(regextract(msg , "from\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg , "from\s+host\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg , "list\s\d+\spermitted\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg ,"\[Source\:\s((?:\d{1,3}\.){3}\d{1,3})\]"), 0),
arrayindex(regextract(msg ,"session\s\d+\(((?:\d{1,3}\.){3}\d{1,3})\)"), 0),
arrayindex(regextract(msg ,"connection\sfrom\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
arrayindex(regextract(msg ,"address\s((?:\d{1,3}\.){3}\d{1,3})\son"), 0),
arrayindex(regextract(msg ,"neighbor\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg , "on\s+\w+\s*\(((?:\d{1,3}\.){3}\d{1,3})"), 0),
arrayindex(regextract(msg ,"\(((?:\d{1,3}\.){3}\d{1,3})\)\)\,\suser"), 0)),
target_ipv4 = arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
target_port = coalesce(
arrayindex(regextract(msg ,"\[localport\:\s(\d+)\]"), 0),
arrayindex(regextract(msg ,"to\shost\s\d+\.\d+\.\d+\.\d+\sport\s(\d+)"), 0)),
username = coalesce(
arrayindex(regextract(msg ,"user\s+name\s*:\s*([\w\-]+)"), 0),
arrayindex(regextract(msg ,"User\s+\'([^\']+)\'\s+\w+"), 0),
arrayindex(regextract(msg ,"User\s+(\S+)\s+has"), 0),
arrayindex(regextract(msg ,"\[user\:\s([^\]]+)\]"), 0),
arrayindex(regextract(msg ,"\:\sUser\s(\S+)\s"), 0),
arrayindex(regextract(msg ,"Username:\s*()"), 0),
arrayindex(regextract(msg ,"by\s+(\S+)\s+on\s+"), 0),
arrayindex(regextract(msg ,"\(\d+\.\d+\.\d+\.\d+\)\)\,\suser\s(\S+)"), 0)),
vlan = arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)
| alter // post-extraction formatting
client_mac_formatted = arraystring(regextract(client_mac_address, "[\da-fA-F]{2}"), ":"),
sequence_number = replex(sequence_number, "^0+", ""),
user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM mappings
xdm.alert.severity = severity,
xdm.event.description = msg,
xdm.event.log_level = if(
severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY,
severity = "1", XDM_CONST.LOG_LEVEL_ALERT ,
severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL,
severity = "3", XDM_CONST.LOG_LEVEL_ERROR,
severity = "4", XDM_CONST.LOG_LEVEL_WARNING,
severity = "5", XDM_CONST.LOG_LEVEL_NOTICE,
severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL,
severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
xdm.event.outcome = if(
msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
event_name_mnemonic ~= "SUCCESS" or msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.outcome_reason = outcome_reason,
xdm.event.type = if( // rename vague event names to a meaningful name if necessary
event_name_mnemonic = "FAIL" and msg ~= "(?i)Authorization failed", "AUTHORIZATION_FAILED",
event_name_mnemonic = "FAIL" and msg ~= "(?i)Authentication failed", "AUTHENTICATION_FAILED",
event_name_mnemonic),
xdm.network.session_id = sequence_number,
xdm.observer.name = device_hostname,
xdm.observer.type = facility,
xdm.observer.unique_identifier = coalesce(device_serial_number, device_hostname),
xdm.session_context_id = session_id,
xdm.source.host.device_id = coalesce(device_serial_number, device_hostname),
xdm.source.host.device_model = device_product_id,
xdm.source.host.hardware_uuid = device_serial_number,
xdm.source.host.mac_addresses = if(client_mac_formatted != null, arraycreate(client_mac_formatted)),
xdm.source.ipv4 = source_ipv4,
xdm.source.process.name = process_name,
xdm.source.user.domain = user_domain,
xdm.source.user.username = username,
xdm.source.vlan = to_integer(vlan),
xdm.target.host.hostname = server_name,
xdm.target.interface = interface_port_id,
xdm.target.ipv4 = coalesce(server_ipv4, target_ipv4),
xdm.target.port = to_integer(target_port);
/* -----------------------------------------------------------------------------------------------------------------------
HPE Aruba CX Series (AOS-CX) Event Log Format - RFC 5424 syslog with an "Event|<id>|<level>|<module>|<sub>|<message>" payload.
Event Log Reference: https://arubanetworking.hpe.com/techdocs/AOS-CX/10.16/HTML/elmrg/Content/fir-int.htm
Example: <PRI>1 <ISO-8601-timestamp> <hostname> <daemon> <procid> - - Event|<id>|<LOG_LEVEL>|<module>|<sub>|<message>
Separated from the AOS-S (29xx) logs by the ISO-8601 timestamp date format.
----------------------------------------------------------------------------------------------------------------------*/
filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+(?:Z|[\+\-]\d{2}:\d{2})"
| alter // Extract the RFC 5424 header fields
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>"), 0)),
syslog_version = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>(\d+)\s"), 0),
device_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+Event\|"), 0),
application = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s+\S+\s+Event\|"), 0),
process_id = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s+Event\|"), 0)
| alter // Extract the AOS-CX "Event|..." payload fields
event_id = to_integer(arrayindex(regextract(_raw_log, "Event\|(\d+)\|"), 0)),
log_level = arrayindex(regextract(_raw_log, "Event\|\d+\|(LOG_[A-Z]+)\|"), 0),
module = arrayindex(regextract(_raw_log, "Event\|\d+\|LOG_[A-Z]+\|([^\|]*)\|"), 0),
msg = arrayindex(regextract(_raw_log, "Event\|\d+\|LOG_[A-Z]+\|[^\|]*\|[^\|]*\|(.*)$"), 0)
| alter // Map the AOS-CX event-id "hundreds" prefix to its functional category
event_cat_num = to_integer(floor(divide(event_id, 100))),
event_categories = arraycreate("UNKNOWN", "LLDP", "FAN", "POWER", "INTERFACE", "LED", "PORT", "SYSTEM", "TEMPERATURE", "LOOPBACK", "sFLOW", "NTP", "SUPORTABILITY", "LACP", "LAG", "CoPP", "VLAN-INTERFACE", "L3-INTERFACE", "ECMP", "DHCP", "MSRP", "VLAN", "REDUNDANT-MGMT", "AAA", "OSPFv2", "UNKNOWN", "MGMD", "REPLD", "LOOP-PROTECT", "BGP", "HW-HEALTH-MONITOR", "MVRP", "MODULE", "DHCPv6", "DHCP-RELAY", "IRDP", "UDPFWD", "VRRP", "XCVR", "IPv6-RA", "MTM", "UDLD", "UNKNOWN", "MGMT", "UPDATE", "SELFTEST", "REST", "USER-MGMT", "MAC-MGMT", "OSPFv3", "RPVST", "PIM", "SSH-SERVER", "SFTP-CLIENT", "VRF-MGR", "NAE-POLICYD", "HTTPS-SERVER", "QOS", "QOS-ASIC", "PASSWD-RESET", "NAE-TSDBD", "NDM", "TIME-MGMT", "SYSMON", "VRF", "CRED-MGR", "PORT-STATISTICS", "MIRRORING", "CONFIG-MGMT", "NAE-AGENTS", "VSC", "SNMP", "UNKNOWN", "BFD", "IP-SLA", "CPU-RX", "VSX-SYNC", "CERT-MGMT", "EXTERNAL-STORAGE", "POE", "BLUETOOTH-MGMT", "VXLAN", "UNKNOWN", "UNKNOWN", "ND-SNOOPING", "ERPS", "MSDP", "ZTPD", "HSC-SYNCD", "CDP", "SSH-CLIENT", "INTERNAL-STORAGE", "DCBX", "PORT-ROLE", "PORT-SECURITY", "EVPN", "IP-TUNNEL", "USER-BASED-TUNNEL", "IP-SRC-LKDN", "VSF", "ACL", "POLICY", "TCAM", "RBAC", "ARP-SECURITY", "PORT-ACCESS", "L3-ENCAP", "UNKNOWN", "L3-ASIC-RESOURCE", "DPSE", "MAC-ADDR-CONFIG", "FAULT-MONITOR", "MACSEC", "SMARTLINK", "MDNS", "L3-RESMGR", "ETH-OAM-CFM", "ALARM", "CONTAINER", "DNS-CLIENT", "UFD", "PTP", "SCHEDULE", "DOT1X-SUPPLICANT", "DFP", "VXLAN-AGENT", "PORT-ACCESS-GBP", "NAE-SCRIPT-GEN", "UNKNOWN", "TELNET-SERVER", "CONSOLE", "ACCOUNTING", "HOT-PATCH", "MPLS", "CONFIG-VALIDATOR", "ISSU", "TPMD", "SCHEDULEHW-HEALTH-MONITOR", "DIST-SERV", "TRAFFIC-INSIGHT", "ARC", "INTERFACE-DIAGNOSTIC", "CLIENT-INSIGHT", "FEATURE-PACK", "DOWNLOAD", "CENTRAL-SOURCE", "PORT-ACC-ABP", "IPSEC", "LAUNCHD", "CX-LMS", "IPFM", "PACKET-CAPTURE", "PIM-BIDI", "IPFIX", "MSRP", "UNKNOWN", "FQTSS", "INJECTED-VIEWS", "MULTICAST", "SELFTEST-MONITOR", "QTP", "SYNCHE", "MOD", "IFA", "FIB")
| alter
event_category = to_string(arrayindex(event_categories, event_cat_num))
| alter // Extract dynamic entities from the free-text message body
username = coalesce(
arrayindex(regextract(msg, "User:\s*([\w\\\-]+)"), 0),
arrayindex(regextract(msg, "[Uu]ser\s+([\w\\\-]+)\s+(?:logged|logout)"), 0),
arrayindex(regextract(msg, "(?:succeeded|failed)\s+for\s+user\s+([\w\\\-]+)"), 0),
arrayindex(regextract(msg, "User\s+\'([^\']+)\'"), 0)),
login_src_host = coalesce(
arrayindex(regextract(msg, "logged in from\s+([\w\.\-]+)"), 0),
arrayindex(regextract(msg, "logged out of REST session from\s+([\w\.\-]+)"), 0)),
central_host = arrayindex(regextract(msg, "on location\s+([\w\.\-]+)"), 0),
src_ipv4 = arrayindex(regextract(msg, "from\s+(?:device\s+)?((?:\d{1,3}\.){3}\d{1,3})"), 0),
vrf_name = arrayindex(regextract(msg, "on VRF\s+(\S+)"), 0),
session_id = arrayindex(regextract(msg, "in session\s+(\S+)"), 0),
subscriber = coalesce(
arrayindex(regextract(msg, "(?:added|removed)\s+subscriber:\s*(\S+?)\.?$"), 0),
arrayindex(regextract(msg, "subscriber:\s*(\S+?)\.?$"), 0))
| alter // post-extraction formatting
syslog_version = replex(syslog_version, "^0+", ""),
user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM mappings
xdm.event.id = to_string(event_id),
xdm.event.description = msg,
xdm.event.log_level = if(
log_level = "LOG_EMERG", XDM_CONST.LOG_LEVEL_EMERGENCY,
log_level = "LOG_ALERT", XDM_CONST.LOG_LEVEL_CRITICAL,
log_level = "LOG_CRIT", XDM_CONST.LOG_LEVEL_CRITICAL,
log_level = "LOG_ERR", XDM_CONST.LOG_LEVEL_ERROR,
log_level = "LOG_WARNING", XDM_CONST.LOG_LEVEL_WARNING,
log_level = "LOG_NOTICE", XDM_CONST.LOG_LEVEL_NOTICE,
log_level = "LOG_INFO", XDM_CONST.LOG_LEVEL_INFORMATIONAL,
log_level = "LOG_DEBUG", XDM_CONST.LOG_LEVEL_DEBUG),
xdm.event.outcome = if(
msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
msg ~= "(?i)SUCCESS|SUCCEEDED|logged in|logged out|has been closed|established", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.type = event_category,
xdm.network.session_id = session_id,
xdm.observer.type = "Network Switch",
xdm.observer.unique_identifier = device_hostname,
xdm.source.host.hostname = login_src_host,
xdm.source.ipv4 = src_ipv4,
xdm.source.process.name = application,
xdm.source.process.pid = to_integer(process_id),
xdm.source.user.domain = user_domain,
xdm.source.user.username = username,
xdm.target.host.hostname = central_host,
xdm.target.user.username = subscriber;