HPE Switch Modeling Rule

Modeling Rule

HPE Switch

Details

IDHPE_Switch_ModelingRule
From Version8.5.0

Rules (XIF)

[MODEL: dataset=hpe_switch_raw]
/* -------------------------------------------------------------------------------------------------------------------
    Event Log Reference:  
    https://www.arubanetworks.com/techdocs/AOS-Switch/16.10/Aruba%20Event%20Log%20Message%20Reference%20Guide%20for%20AOS-S%20Switch%2016.10.pdf 
   ------------------------------------------------------------------------------------------------------------------*/
filter _raw_log !~= "%\S+\-\d\-\S+:" and _raw_log !~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+(?:Z|[\+\-]\d{2}:\d{2})" // exclude AOS-CX (ISO-8601 timestamped) logs handled in the dedicated block below
| alter // Extract the common message parts 
    device_ip = arrayindex(regextract(_raw_log, "^.+?((?:\d{1,3}\.){3}\d{1,3})(?:\s+\d+)? \S+?: "), 0),
    event_id = to_integer(ltrim(arrayindex(regextract(_raw_log, "\s+(\d+)\s+\S+?:\s+") , 0), "0")),
    facility = uppercase(arrayindex(regextract(_raw_log, "\s+(\S+?):\s+") , 0)),
    msg = arrayindex(regextract(_raw_log, "\s+\S+?:\s+(.+)") , 0),
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>") , 0))
| alter severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))

| alter // Extract the varying dynamic fields from the message payload 
    access_mode = if( 
        event_id in (2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3216, 3217, 3218, 3356, 3357), arrayindex(regextract(msg, "^(\S+) client"), 0),
        event_id in (3351, 3352, 3353, 3354, 3355), arrayindex(regextract(msg, "^(\S+)\s*\:"), 0), 
        event_id in (3211, 3212, 3213), arrayindex(regextract(msg, "received on port \S+ for (\S+) client"), 0),
        event_id = 3350, arrayindex(regextract(msg, "^(\S+) unable to permit client"), 0),
        event_id in (5212, 5213, 5722, 5724, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "to (\S+) client"), 0)),
    cmd = if(
        event_id in (992, 993), arrayindex(regextract(msg, "command (.+)\."), 0),
        event_id in (3393, 3394), arrayindex(regextract(msg, "[Cc]ommand (.+) is"), 0)),
    dhcp_server_ip = if(event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip ((?:\d{1,3}\.){3}\d{1,3})"), 0)),
    gateway_ip = if(event_id = 5451, arrayindex(regextract(msg, "vlan \S+ \(?(\S+)\)?"), 0)), 
    gateway_name = if(event_id in (5595, 5596, 5597, 5598, 5599, 5600), arrayindex(regextract(msg, "gateway (\S+)"), 0)), 
    ip_mask = if(
        event_id = 17, arrayindex(regextract(msg, "mask ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
        event_id in (25, 26),  arrayindex(regextract(msg, "address ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
        event_id = 753, arrayindex(regextract(msg, "failure\:\s*((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0)),
    mac_address = if(
        event_id = 5, arrayindex(regextract(msg, "at ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (20, 21, 288, 334, 5681, 5682, 5683, 5684, 5731), arrayindex(regextract(msg, "(?:mac|MAC)[\s\-]+(?:address|ADDRESS) ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (845, 952, 958, 959, 960, 961, 2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3273, 3274, 3281, 3283,  3350, 3356, 3357, 3822, 4987), arrayindex(regextract(msg, "(?:mac|MAC)\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 2581, arrayindex(regextract(msg, "MAC address of ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (354, 858), arrayindex(regextract(msg, "address ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 348, arrayindex(regextract(msg, "error:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 352, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) moved from"), 0),
        event_id = 353, arrayindex(regextract(msg, "Received Update Packet from ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 355, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) MISMATCH"), 0),
        event_id = 451, arrayindex(regextract(msg, "Upgrade ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 452, arrayindex(regextract(msg, "config with ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (453, 3282), arrayindex(regextract(msg, "switch ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (592, 594), arrayindex(regextract(msg, "\S+\s*:\s*(?:Move )?((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (613, 2209), arrayindex(regextract(msg, "MAC add for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5212, 5213, 5411, 5722, 5724), arrayindex(regextract(msg, "to ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (839, 3816), arrayindex(regextract(msg, "from \S+\s*:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (870, 2690, 4548, 4556, 4565), arrayindex(regextract(msg, "from\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 915, arrayindex(regextract(msg, "source:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (979, 4588, 4880), arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) on port"), 0),
        event_id = 2431, arrayindex(regextract(msg, "multicast ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 714, 716, 718, 719, 720, 721, 722, 856, 2539, 2540, 2541, 3211, 3212, 3213, 3214, 3215, 3216, 3217, 3218, 3351, 3352, 3355, 3358, 4575, 5563, 5619, 5620, 5621, 5723, 5726, 5743, 5744, 5747, 5748, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5906, 5907, 5940, 5941), arrayindex(regextract(msg, "(?:client|Client):?\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (2720, 3354, 4590, 5385), arrayindex(regextract(msg, "for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 3280, arrayindex(regextract(msg, "Member ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (4572, 4573, 4874), arrayindex(regextract(msg, "packet ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 4980, arrayindex(regextract(msg, "got ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5120, 5121, 5143, 5144, 5145, 5146), arrayindex(regextract(msg, "device ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5122, 5123), arrayindex(regextract(msg, "Aruba AP ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5406, 5407), arrayindex(regextract(msg, "user ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        coalesce( // default fallback 
            arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
            arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
            arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0))),
    outcome_reason = if(
        event_id in (5076, 5230, 5240, 5244, 5246, 5261), rtrim(arrayindex(regextract(msg, "[Ee]rror:?\s*(?:\=?\s*)?(.+)"), 0), "."),
        event_id in (2204, 5254), arrayindex(regextract(msg, "error:?\s*(?:\=?\s*)?(.+) (?:occurred|on)"), 0),
        event_id = 5682, arrayindex(regextract(msg, "reason (.+)\-\s*server"), 0),
        event_id = 5222, arrayindex(regextract(msg, "server:\s*(.+)"), 0),
        event_id in (5236, 5239, 5243, 5247, 5248, 5249, 5250, 5251, 5233, 5234), arrayindex(regextract(msg, "with error (?:\=\s*)(.+)"), 0),
        event_id in (5241, 5242), arrayindex(regextract(msg, "string is (.+)"), 0),
        event_id in (132, 134, 4187, 4188), arrayindex(regextract(msg, "msg:? (.+)"), 0),
        event_id = 542, arrayindex(regextract(msg, "Skipped:\s*(.+)"), 0),
        event_id in (2614, 2218), arrayindex(regextract(msg, "failed:\s*(.+)"), 0),
        event_id = 609, arrayindex(regextract(msg, "from \S+ \(?(.+?)\)?\s*\-"), 0),
        event_id = 2419, arrayindex(regextract(msg, "Received (.+) packet"), 0),
        event_id in (5081, 5619), arrayindex(regextract(msg, " as (\.+)\."), 0),
        event_id in (5602, 5604, 5606, 5623, 5867, 5869), arrayindex(regextract(msg, "because of (.+)\."), 0),
        event_id = 158, arrayindex(regextract(msg, "line \S+\s*(.+)"), 0),
        event_id in (686, 687, 3032, 3033, 3841, 3842, 3843), msg,
        event_id in (3380, 3381), arrayindex(regextract(msg, "ERR:\s*(.+)"), 0),
        event_id in (648, 2007, 2413, 3370), arrayindex(regextract(msg, "failed:?\s*(.+)"), 0),
        event_id = 4252, arrayindex(regextract(msg, "start:\s*(.+)"), 0),
        event_id = 3258, arrayindex(regextract(msg, "failed due to \s*(.+)"), 0),
        event_id = 655, arrayindex(regextract(msg, "VLAN\.\s*(.+)"), 0),
        event_id = 669, arrayindex(regextract(msg, "caution (.+)"), 0),
        event_id = 5620, arrayindex(regextract(msg, "role (.+)"), 0),
        event_id in (3152, 3278, 3279, 4872, 5407, 5408), arrayindex(regextract(msg, "[Rr]eason:?\s*(.+)"), 0),
        event_id = 63, arrayindex(regextract(msg, "down:\s*(.+)"), 0),
        event_id = 273, arrayindex(regextract(msg, "\S+\s*\-\s*(.+)"), 0),
        event_id = 4892, arrayindex(regextract(msg, "Got (.+)\."), 0),
        event_id = 3006, arrayindex(regextract(msg, "reboot: (.+)"), 0),
        event_id in (4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949), arrayindex(regextract(msg, "failed\s*;\s*(.+)"), 0)),
    policy_name = if(
        event_id = 5816, arrayindex(regextract(msg, "list \'(.+?)\'"), 0),
        event_id = 5817, arrayindex(regextract(msg, "class \'(.+?)\'"), 0),
        event_id in (2655, 2659, 2661),  arrayindex(regextract(msg, "apply \'(.+?)\'"), 0),
        event_id in (2637, 2638, 2652, 2653, 2654, 2656, 3025, 5215, 5745, 5746), arrayindex(regextract(msg, "[Pp]olicy (?:is\s+)?\'(.+?)\'"), 0)),
    interface_port_id = if(
        event_id in (76, 77, 324, 725, 826, 827, 828, 840, 841, 844, 848, 849, 884, 885, 886, 887, 888, 889, 927, 972, 975, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4584, 4593, 4646, 4647, 5161, 5162, 5834), arrayindex(regextract(msg, "^[Pp]ort ([\w\/]+)"), 0),
        event_id in (725, 826, 827, 848, 849, 885, 927, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4646, 4647, 5161, 5162), arrayindex(regextract(msg, "^Port ([\w\/]+) (?:with|released|changed|inhibited|blocked|unblocked|disabled|has|is|\-)"), 0), 
        event_id in (346, 347, 348, 350, 351, 353, 356, 447), arrayindex(regextract(msg, "^([\w\/]+)\s*[\-]+\s*(?:ACK|Received|detected|initialized|established|not established)"), 0), // 
        event_id in (822, 823), arrayindex(regextract(msg, "^(?:Created|Deleted) ([\w\/]+)"), 0), 
        event_id in (883, 3381, 3815), arrayindex(regextract(msg, "Port ([\w\/]+) (?:has|communications|moved)"), 0), 
        event_id in (2640, 2641, 2642, 2643, 2644), arrayindex(regextract(msg, "src I\/F ([\w\/]+) (?:is|has)"), 0), 
        event_id in (4667, 4670), arrayindex(regextract(msg, "on Interface ([\w\/]+)"), 0), 
        event_id = 357, arrayindex(regextract(msg, "^([\w\/]+) load balance version"), 0), 
        event_id = 444, arrayindex(regextract(msg, "^([\w\/]+): received"), 0), 
        event_id = 453, arrayindex(regextract(msg, "detected on ([\w\/]+)"), 0),
        event_id = 520, arrayindex(regextract(msg, "Ports ([\w\/]+):"), 0), 
        event_id = 592, arrayindex(regextract(msg, "Move \S+ to ([\w\/]+) denied"), 0), 
        event_id = 825, arrayindex(regextract(msg, "PORT-MAP (?:removed from|added to) ([\w\/]+)"), 0), 
        event_id = 2639, arrayindex(regextract(msg, "from ([\w\/]+) interface"), 0), 
        event_id = 4573, arrayindex(regextract(msg, "Invalid DHCPv6 packet \S+\.?\s*([\w\/]+)"), 0), 
        event_id = 4633, arrayindex(regextract(msg, "Mac-notify traps ([\w\/]+)"), 0), 
        event_id = 4986, arrayindex(regextract(msg, "enabled port ([\w\/]+)"), 0), 
        event_id = 5052, arrayindex(regextract(msg, "^Configuration conversion for \S+ ([\w\/]+)"), 0), 
        arrayindex(regextract(msg, "\s+[Pp]ort ([\w\/]+)"), 0)), // General fall back
    src_ip = if( 
        event_id in (3, 3087, 5328), arrayindex(regextract(msg, "to (\S+)"), 0),
        event_id in (11, 91, 97, 98, 99, 112, 236, 237, 419, 468, 469, 470, 609, 610, 611, 618, 619, 620, 621, 622, 636, 637, 639, 640, 754, 982, 983, 984, 985, 2205, 2206, 2207, 2210, 2211, 2219, 2220, 2419, 2420, 2421, 2422, 2425, 2667, 2684, 2686, 3310, 3311, 3318, 3345, 3362, 3363, 3387, 3390, 4215, 4216, 4241, 4242, 4244, 4245, 4281, 4542, 4558, 456, 4575, 4832, 4834, 4872, 4873, 5005, 5006, 5016, 5312, 5313, 5314, 5329, 5653), arrayindex(regextract(msg, "from (\S+)"), 0),
        event_id in (12, 13, 3167), arrayindex(regextract(msg, "on (\S+)"), 0),
        event_id in (16, 86, 748, 749, 2430, 2581, 2582, 3130, 4243, 4261, 4263, 4276, 4782, 4875, 5025, 5026, 5034, 5177, 5358), arrayindex(regextract(msg, "[Aa]ddress:? (\S+)"), 0),
        event_id in (612, 2208, 5017), arrayindex(regextract(msg, "from rtr (\S+)"), 0),
        event_id in (614, 623), arrayindex(regextract(msg, "flow (\S+)"), 0),
        event_id in (617, 625, 626, 628, 694, 695, 696, 806, 917, 5013), arrayindex(regextract(msg, "IP (\S+)"), 0),
        event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*\S+\s*\-?\s*s?\s*(\S+)"), 0),
        event_id in (850, 854, 3319, 3320, 4546, 4913, 5401), arrayindex(regextract(msg, "(?:Server|server) (\S+)"), 0),
        event_id in (864, 4552), arrayindex(regextract(msg, "[Rr]eading (\S+)"), 0),
        event_id in (979, 4877, 4880), arrayindex(regextract(msg, "for (\S+),?"), 0),
        event_id in (981, 4589), arrayindex(regextract(msg, "Access denied (\S+)\s*\-\>"), 0),
        event_id in (2214, 2215, 2221, 2416, 2418, 2423, 2639, 2645, 2646, 2647), arrayindex(regextract(msg, "addr:? (\S+)"), 0),
        event_id in (2530, 2668), arrayindex(regextract(msg, "Client \'?(\S+)\'?"), 0),
        event_id in (4781, 4783), arrayindex(regextract(msg, "interface (\S+)\.?"), 0),
        event_id in (4961, 4962, 4966), arrayindex(regextract(msg, "device (\S+)"), 0),
        event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Source IPv4 \S+\:\s*(\S+)"), 0),
        event_id in (5059, 5060, 5061, 5062, 5063, 5233, 5310), arrayindex(regextract(msg, "^\s*(\S+)"), 0),
        event_id in (5304, 5305, 5306, 5307, 5308, 5309, 5315, 5316, 5317, 5318), arrayindex(regextract(msg, "peers\s*(\S+)"), 0),
        event_id in (5402, 5403), arrayindex(regextract(msg, "is (\S+)\.?"), 0),
        event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "source IP:\s*(\S+)\-?"), 0),
        event_id = 5, arrayindex(regextract(msg, "^ARP:\s*(\S+)"), 0), 
        event_id = 17, arrayindex(regextract(msg, "mask (\S+)"), 0),
        event_id = 8, arrayindex(regextract(msg, "Source:\s*(\S+)"), 0),
        event_id = 805, arrayindex(regextract(msg, "block (\S+)"), 0),
        event_id = 908, arrayindex(regextract(msg, "ipAddr:\s+(\S+)"), 0),
        event_id = 911, arrayindex(regextract(msg, ",?\s*(\S+) port"), 0),
        event_id = 2669, msg, 
        event_id = 4638, arrayindex(regextract(msg, "as (\S+)\.?"), 0),
        event_id = 4878, arrayindex(regextract(msg, "binding (\S+)"), 0),
        event_id = 5226, arrayindex(regextract(msg, "Activate (\S+)"), 0)),
    tgt_ip = if( 
        event_id in (119, 411, 5181, 5182, 5183, 5184, 5845), arrayindex(regextract(msg, "server\s+(\S+)"), 0),
        event_id in (120, 122, 413, 416), arrayindex(regextract(msg, "server at\s+(\S+)"), 0),
        event_id in (747, 3340, 3341, 3342, 5226, 5649), arrayindex(regextract(msg, "to (\S+)"), 0),
        event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*(\S+)"), 0),
        event_id in (866, 4554), arrayindex(regextract(msg, "[Ww]riting (\S+)"), 0),
        event_id in (981, 4589), arrayindex(regextract(msg, "Access denied \S+\s*\-\>(\S+)"), 0),
        event_id in (3876, 5809), arrayindex(regextract(msg, "address (\S+)"), 0),
        event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Destination IPv4 \S+\:\s*(\S+)"), 0),
        event_id in (5311, 5405, 5408, 5419, 5421, 5422), arrayindex(regextract(msg, "[Cc]ontroller (\S+)[,\.]?"), 0),
        event_id in (5404, 5406), arrayindex(regextract(msg, "Controller \S+ (\S+)\.?"), 0),
        event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "destination IP:\s*(\S+)\-?"), 0),
        event_id in (5685, 5686), arrayindex(regextract(msg, "\s+ip (\S+)"), 0),
        event_id = 8, arrayindex(regextract(msg, "Target:\s*(\S+)"), 0),
        event_id = 420, arrayindex(regextract(msg, "reach (\S+) server"), 0),
        event_id = 315, arrayindex(regextract(msg, "target IP\s+(\S+)"), 0),
        event_id = 317, arrayindex(regextract(msg, "Target IP address\s+(\S+)"), 0),
        event_id = 630, arrayindex(regextract(msg, "group\s+(\S+)"), 0),
        event_id = 631, arrayindex(regextract(msg, "to SUBSYSTEM\s+(\S+)"), 0),
        event_id = 2631, arrayindex(regextract(msg, "at (\S+)\.?"), 0),
        event_id = 4541, arrayindex(regextract(msg, "configure (\S+)"), 0),
        event_id = 5451,  arrayindex(regextract(msg, "^\s*(\S+)"), 0),
        event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip (\S+)"), 0),
        event_id = 5744, arrayindex(regextract(msg, "subscriber (\S+)"), 0),
        event_id = 5812, arrayindex(regextract(msg, "Fqdn (\S+)"), 0)),
    tgt_user = if(
        event_id = 3368, arrayindex(regextract(_raw_log, "oldest user (\S+)") , 0), 
        event_id = 3386, arrayindex(regextract(_raw_log, "modified for user ([^\.]+)") , 0), 
        event_id = 4940, arrayindex(regextract(_raw_log, "^Password for user (\S+) (?:has )?expired") , 0),
        event_id in (3391, 3392), arrayindex(regextract(_raw_log, "Local user (\S+) is") , 0)), // users added/removed to/from group
    tgt_mac_address = if(event_id = 913, arrayindex(regextract(msg, "dest:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0)),
    username = if(
        event_id in(3362, 3363, 4241, 4242, 3369, 4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949, 4951, 4952, 5005, 5006, 5007, 3387, 4930, 4938, 4939, 5826), arrayindex(regextract(msg, "^User \'?([\w\\]+)\'? (?:logged|logout|from|password|has logged|is logged|has been logged|denied access)"), 0), 
        event_id in (186, 468, 469, 470, 640, 2667, 2710, 2714, 2715, 2716, 2717, 3310, 3311, 3318, 3340, 3341, 3342, 3343, 3344, 3345, 3440, 3444, 4244, 4245, 4248, 5553, 5555, 5765, 5825, 5827, 5828, 5829), arrayindex(regextract(msg, "^User\s*\:?\s*\'?([\w\\]+)\'?\s*\:"), 0), 
        event_id in (419, 5008, 639, 992, 993, 3390, 4940, 4941), arrayindex(regextract(msg, "[Uu]ser \'?([\w\\]+)\'? (?:is (?:trying|logged|added|deleted)|command|logged|has|expired)"), 0), 
        event_id = 4950, arrayindex(regextract(msg, "History records cleared for \'?([\w\\]+)\'? user") , 0),
        event_id = 236, arrayindex(regextract(msg, "community name or user name\s*[,\:]?\s*\'?([\w\\]+)\'?"), 0), 
        event_id = 5815, arrayindex(regextract(msg, "^The user name \'?([\w\\]+\'?)"), 0), 
        event_id = 5940, arrayindex(regextract(msg, "Authentication aborted for(?: client \S+)? user \'?([\w\\]+)\'?\."), 0), 
        event_id = 5681, arrayindex(regextract(msg, "userName \'?([\w\\]+)\'?\-?\s*authType"), 0), 
        event_id = 5749, arrayindex(regextract(msg, "username \'?([\w\\]+)\'? or password"), 0), 
        event_id = 4831, arrayindex(regextract(msg, "limit is reached for \'?([\w\\]+)\'?\."), 0), 
        event_id = 2668, arrayindex(regextract(msg, "for the User \'?([\w\\]+)\'?\."), 0), 
        event_id = 5409, arrayindex(regextract(msg, "for user (\S+):") , 0)),
    user_role = if(
        event_id in (5204, 5205, 5206, 5207, 5208, 5209, 5210, 5211, 5212, 5213, 5411, 5412, 5619, 5563, 5717, 5722, 5724, 5725, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "user[\s\-]+role \'?(.+?)\'? (?:to|has|with|is|\.)"), 0),
        event_id in (3391, 3392, 3393, 3394), arrayindex(regextract(msg, "group \'?(.+?)\'?\s*\."), 0),
        event_id in (5620, 5621), arrayindex(regextract(msg, "^\'?(.+?)\'? client"), 0),
        event_id in (5715, 5716), arrayindex(regextract(msg, "^Initial role \'?(.+?)\'? is"), 0)),
    vlan_id = if(
        event_id in (1,2), arrayindex(regextract(msg, "^(\d+) virtual LAN"), 0),
        event_id = 316, arrayindex(regextract(msg, "^VLAN ID out of range \(?(\d+)"), 0), 
        event_id = 964, arrayindex(regextract(msg, "^Failed to allocate memory for (\d+)"), 0), 
        event_id = 3815, arrayindex(regextract(msg, "^(\d+) \S+ Port \S+ moved"), 0), 
        event_id = 3824, arrayindex(regextract(msg, "^GVRP could not create (\d+) because"), 0), 
        event_id = 3826, arrayindex(regextract(msg, "^GVRP could not add port \S+ to (\d+)"), 0), 
        event_id = 3828, arrayindex(regextract(msg, "^Port \S+ unblocked on (\d+)"), 0), 
        event_id = 4588, arrayindex(regextract(msg, "^Unable to add binding for (\d+)"), 0),
        arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)) // default fallback  

| alter // Post Extraction Processing 
    formatted_mac_address = arraystring(regextract(mac_address, "[\da-fA-F]{2}"), ":"), 
    formatted_tgt_mac_address = arraystring(regextract(tgt_mac_address , "[\da-fA-F]{2}"), ":"),
    gw_ipv4 = arrayindex(regextract(gateway_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), 
    gw_ipv6 = arrayindex(regextract(gateway_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
    src_ipv4 = arrayindex(regextract(src_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), 
    src_ipv6 = arrayindex(regextract(src_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0), 
    tgt_ipv4 = arrayindex(regextract(tgt_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), 
    tgt_ipv6 = arrayindex(regextract(tgt_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
    tgt_user_domain = arrayindex(regextract(tgt_user, "(.+)\\.+"), 0),
    user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)

| alter // XDM Mappings 
    xdm.alert.severity = severity,
    xdm.auth.auth_method = access_mode,
    xdm.event.description = msg, 
    xdm.event.id = to_string(event_id),
    xdm.event.is_completed = if(
        event_id in (91, 375, 666, 734, 2552, 2568, 2802, 3318, 3802, 4762), to_boolean("FALSE"),
        event_id in (93, 94, 131, 150, 202, 376, 667, 735, 796, 2553, 2558, 2569, 2803, 3310, 3803, 4050, 4066, 4185, 4215, 4763, 5024, 5033, 5034, 4612), to_boolean("TRUE")),
    xdm.event.log_level = if(
        severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, 
        severity = "1", XDM_CONST.LOG_LEVEL_ALERT , 
        severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, 
        severity = "3", XDM_CONST.LOG_LEVEL_ERROR, 
        severity = "4", XDM_CONST.LOG_LEVEL_WARNING, 
        severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, 
        severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, 
        severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
    xdm.event.outcome = if(
        msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
        msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.outcome_reason = outcome_reason,
    xdm.event.type = facility,
    xdm.intermediate.host.hostname = gateway_name,
    xdm.intermediate.ipv4 = device_ip,
    xdm.intermediate.ipv6 = gw_ipv6,
    xdm.intermediate.host.ipv4_addresses = arraycreate(device_ip, gw_ipv4),
    xdm.intermediate.host.ipv6_addresses = arraycreate(gw_ipv6),
    xdm.network.dhcp.siaddr = dhcp_server_ip,
    xdm.network.rule = policy_name,
    xdm.observer.type = facility,
    xdm.observer.unique_identifier = device_ip,
    xdm.source.host.mac_addresses = if(formatted_mac_address != null, arraycreate(formatted_mac_address)),
    xdm.source.ipv4 = src_ipv4,
    xdm.source.ipv6 = src_ipv6,
    xdm.source.subnet = ip_mask,
    xdm.source.user.domain = user_domain,
    xdm.source.user.groups = if(user_role != null, arraycreate(user_role)),
    xdm.source.user.username = username,
    xdm.source.vlan = to_integer(vlan_id),
    xdm.target.host.mac_addresses = if(formatted_tgt_mac_address != null, arraycreate(formatted_tgt_mac_address)),
    xdm.target.process.command_line = cmd,
    xdm.target.interface = to_string(interface_port_id),
    xdm.target.ipv4 = tgt_ipv4,
    xdm.target.ipv6 = tgt_ipv6,
    xdm.target.user.domain = tgt_user_domain,
    xdm.target.user.username = tgt_user;


/* -----------------------------------------------------------
    Event Log Alternative Format:  
    seq no:timestamp: %facility-severity-MNEMONIC:description 
   ----------------------------------------------------------*/
filter _raw_log ~= "%\S+\-\d\-\S+:"
| alter // Extract the common message parts 
    sequence_number = arrayindex(regextract(_raw_log, "^\<\d+\>(\d+):") , 0),
    facility = arrayindex(regextract(_raw_log, "%(.+?)\-\d+\-\S+?:") , 0),
    severity = arrayindex(regextract(_raw_log, "%.+?\-(\d+)\-\S+?:") , 0),
    event_name_mnemonic = arrayindex(regextract(_raw_log, "%.+?\-\d+\-(\S+?):") , 0),
    msg = arrayindex(regextract(_raw_log, "\s+\S+?:\s+(.+)") , 0)

| alter // extract dynamic fields from the syslog message description 
    client_mac_address = coalesce(
        arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
        arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
        arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0)),
    device_hostname = arrayindex(regextract(_raw_log ,"\<\d+\>\d+\:\s([\w+\-\_]+)\:\s\d+\:"), 0),
    device_product_id = arrayindex(regextract(msg ,"\[PID\:([^\,]+)\,"), 0), 
    device_serial_number = arrayindex(regextract(msg , ",SN\:([\w\-]+)"), 0),
    interface_port_id = coalesce(
        arrayindex(regextract(msg ,"Interface\s([^\/]+\/\d+\/*\d*)"), 0),
        arrayindex(regextract(msg ,"interface\sname\s([^\/]+\/\d+\/\d+)"), 0),
        arrayindex(regextract(msg , "Interface\s([\w\-]+)"), 0),
        arrayindex(regextract(msg , "on interface\s+(\S+)\s+by"), 0),
        arrayindex(regextract(msg , "(?:on|port|Unblocking|Blocking)\s+(\w+\/\w+\/\w+)"), 0),
        arrayindex(regextract(msg , "^(\w+\/\w+\/\w+):"), 0)),
    outcome_reason = coalesce(
        arrayindex(regextract(msg, "\sreason:\s*(.+?)\."), 0), 
        arrayindex(regextract(msg, "with reason\s*\(([^\)]+)\)"), 0),
        arrayindex(regextract(msg, "\[Reason:\s*([^\]]+)\]"), 0)),
    process_name = coalesce(
        arrayindex(regextract(msg ,"by\sprocess\s(.+?)\s+(?:Process|Policy\smanager)"), 0),
        arrayindex(regextract(msg ,"process\s*\=\s*([^\.]+)\."), 0)),
    server_ipv4 = arrayindex(regextract(msg, "[Ss]erver(?:\s+not\s+found)?(?:\s+at)?\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
    server_name = arrayindex(regextract(msg, "Server\s+([\w\-]+)\s+is"), 0),
    session_id = coalesce(
        arrayindex(regextract(msg, "AuditSessionID (\w+)"), 0),
        arrayindex(regextract(msg, "session (\w+)\("), 0)),
    source_ipv4 = coalesce(
        arrayindex(regextract(msg , "from\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg , "from\s+host\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg , "list\s\d+\spermitted\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg ,"\[Source\:\s((?:\d{1,3}\.){3}\d{1,3})\]"), 0),
        arrayindex(regextract(msg ,"session\s\d+\(((?:\d{1,3}\.){3}\d{1,3})\)"), 0),
        arrayindex(regextract(msg ,"connection\sfrom\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
        arrayindex(regextract(msg ,"address\s((?:\d{1,3}\.){3}\d{1,3})\son"), 0),
        arrayindex(regextract(msg ,"neighbor\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg , "on\s+\w+\s*\(((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg ,"\(((?:\d{1,3}\.){3}\d{1,3})\)\)\,\suser"), 0)),
    target_ipv4 = arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
    target_port = coalesce(
        arrayindex(regextract(msg ,"\[localport\:\s(\d+)\]"), 0), 
        arrayindex(regextract(msg ,"to\shost\s\d+\.\d+\.\d+\.\d+\sport\s(\d+)"), 0)),
    username = coalesce(
        arrayindex(regextract(msg ,"user\s+name\s*:\s*([\w\-]+)"), 0),
        arrayindex(regextract(msg ,"User\s+\'([^\']+)\'\s+\w+"), 0),
        arrayindex(regextract(msg ,"User\s+(\S+)\s+has"), 0),
        arrayindex(regextract(msg ,"\[user\:\s([^\]]+)\]"), 0),
        arrayindex(regextract(msg ,"\:\sUser\s(\S+)\s"), 0),
        arrayindex(regextract(msg ,"Username:\s*()"), 0),
        arrayindex(regextract(msg ,"by\s+(\S+)\s+on\s+"), 0),
        arrayindex(regextract(msg ,"\(\d+\.\d+\.\d+\.\d+\)\)\,\suser\s(\S+)"), 0)),
    vlan = arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)

| alter // post-extraction formatting 
    client_mac_formatted = arraystring(regextract(client_mac_address, "[\da-fA-F]{2}"), ":"), 
    sequence_number = replex(sequence_number, "^0+", ""),
    user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)

| alter // XDM mappings
    xdm.alert.severity = severity,
    xdm.event.description = msg,
    xdm.event.log_level = if(
        severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, 
        severity = "1", XDM_CONST.LOG_LEVEL_ALERT , 
        severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, 
        severity = "3", XDM_CONST.LOG_LEVEL_ERROR, 
        severity = "4", XDM_CONST.LOG_LEVEL_WARNING, 
        severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, 
        severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, 
        severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
    xdm.event.outcome = if(
        msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
        event_name_mnemonic ~= "SUCCESS" or msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.outcome_reason = outcome_reason,
    xdm.event.type = if( // rename vague event names to a meaningful name if necessary 
        event_name_mnemonic = "FAIL" and msg ~= "(?i)Authorization failed", "AUTHORIZATION_FAILED",
        event_name_mnemonic = "FAIL" and msg ~= "(?i)Authentication failed", "AUTHENTICATION_FAILED",
        event_name_mnemonic),
    xdm.network.session_id = sequence_number,
    xdm.observer.name = device_hostname,
    xdm.observer.type = facility,
    xdm.observer.unique_identifier = coalesce(device_serial_number, device_hostname),
    xdm.session_context_id = session_id,
    xdm.source.host.device_id = coalesce(device_serial_number, device_hostname),
    xdm.source.host.device_model = device_product_id,
    xdm.source.host.hardware_uuid = device_serial_number,
    xdm.source.host.mac_addresses = if(client_mac_formatted != null, arraycreate(client_mac_formatted)),
    xdm.source.ipv4 = source_ipv4,
    xdm.source.process.name = process_name,
    xdm.source.user.domain = user_domain,
    xdm.source.user.username = username,
    xdm.source.vlan = to_integer(vlan),
    xdm.target.host.hostname = server_name,
    xdm.target.interface = interface_port_id,
    xdm.target.ipv4 = coalesce(server_ipv4, target_ipv4),
    xdm.target.port = to_integer(target_port);


/* -----------------------------------------------------------------------------------------------------------------------
    HPE Aruba CX Series (AOS-CX) Event Log Format - RFC 5424 syslog with an "Event|<id>|<level>|<module>|<sub>|<message>" payload.
    Event Log Reference: https://arubanetworking.hpe.com/techdocs/AOS-CX/10.16/HTML/elmrg/Content/fir-int.htm
    Example: <PRI>1 <ISO-8601-timestamp> <hostname> <daemon> <procid> - - Event|<id>|<LOG_LEVEL>|<module>|<sub>|<message>
    Separated from the AOS-S (29xx) logs by the ISO-8601 timestamp date format.
   ----------------------------------------------------------------------------------------------------------------------*/
filter _raw_log ~= "\d{4}\-\d{2}\-\d{2}T\d{2}:\d{2}:\d{2}\.\d+(?:Z|[\+\-]\d{2}:\d{2})"
| alter // Extract the RFC 5424 header fields
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>"), 0)),
    syslog_version = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>(\d+)\s"), 0),
    device_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+(\S+)\s+\S+\s+\S+\s+\S+\s+\S+\s+Event\|"), 0),
    application = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s+\S+\s+Event\|"), 0),
    process_id = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+(\S+)\s+\S+\s+\S+\s+Event\|"), 0)
| alter // Extract the AOS-CX "Event|..." payload fields
    event_id = to_integer(arrayindex(regextract(_raw_log, "Event\|(\d+)\|"), 0)),
    log_level = arrayindex(regextract(_raw_log, "Event\|\d+\|(LOG_[A-Z]+)\|"), 0),
    module = arrayindex(regextract(_raw_log, "Event\|\d+\|LOG_[A-Z]+\|([^\|]*)\|"), 0),
    msg = arrayindex(regextract(_raw_log, "Event\|\d+\|LOG_[A-Z]+\|[^\|]*\|[^\|]*\|(.*)$"), 0)
| alter // Map the AOS-CX event-id "hundreds" prefix to its functional category
    event_cat_num = to_integer(floor(divide(event_id, 100))),
    event_categories = arraycreate("UNKNOWN", "LLDP", "FAN", "POWER", "INTERFACE", "LED", "PORT", "SYSTEM", "TEMPERATURE", "LOOPBACK", "sFLOW", "NTP", "SUPORTABILITY", "LACP", "LAG", "CoPP", "VLAN-INTERFACE", "L3-INTERFACE", "ECMP", "DHCP", "MSRP", "VLAN", "REDUNDANT-MGMT", "AAA", "OSPFv2", "UNKNOWN", "MGMD", "REPLD", "LOOP-PROTECT", "BGP", "HW-HEALTH-MONITOR", "MVRP", "MODULE", "DHCPv6", "DHCP-RELAY", "IRDP", "UDPFWD", "VRRP", "XCVR", "IPv6-RA", "MTM", "UDLD", "UNKNOWN", "MGMT", "UPDATE", "SELFTEST", "REST", "USER-MGMT", "MAC-MGMT", "OSPFv3", "RPVST", "PIM", "SSH-SERVER", "SFTP-CLIENT", "VRF-MGR", "NAE-POLICYD", "HTTPS-SERVER", "QOS", "QOS-ASIC", "PASSWD-RESET", "NAE-TSDBD", "NDM", "TIME-MGMT", "SYSMON", "VRF", "CRED-MGR", "PORT-STATISTICS", "MIRRORING", "CONFIG-MGMT", "NAE-AGENTS", "VSC", "SNMP", "UNKNOWN", "BFD", "IP-SLA", "CPU-RX", "VSX-SYNC", "CERT-MGMT", "EXTERNAL-STORAGE", "POE", "BLUETOOTH-MGMT", "VXLAN", "UNKNOWN", "UNKNOWN", "ND-SNOOPING", "ERPS", "MSDP", "ZTPD", "HSC-SYNCD", "CDP", "SSH-CLIENT", "INTERNAL-STORAGE", "DCBX", "PORT-ROLE", "PORT-SECURITY", "EVPN", "IP-TUNNEL", "USER-BASED-TUNNEL", "IP-SRC-LKDN", "VSF", "ACL", "POLICY", "TCAM", "RBAC", "ARP-SECURITY", "PORT-ACCESS", "L3-ENCAP", "UNKNOWN", "L3-ASIC-RESOURCE", "DPSE", "MAC-ADDR-CONFIG", "FAULT-MONITOR", "MACSEC", "SMARTLINK", "MDNS", "L3-RESMGR", "ETH-OAM-CFM", "ALARM", "CONTAINER", "DNS-CLIENT", "UFD", "PTP", "SCHEDULE", "DOT1X-SUPPLICANT", "DFP", "VXLAN-AGENT", "PORT-ACCESS-GBP", "NAE-SCRIPT-GEN", "UNKNOWN", "TELNET-SERVER", "CONSOLE", "ACCOUNTING", "HOT-PATCH", "MPLS", "CONFIG-VALIDATOR", "ISSU", "TPMD", "SCHEDULEHW-HEALTH-MONITOR", "DIST-SERV", "TRAFFIC-INSIGHT", "ARC", "INTERFACE-DIAGNOSTIC", "CLIENT-INSIGHT", "FEATURE-PACK", "DOWNLOAD", "CENTRAL-SOURCE", "PORT-ACC-ABP", "IPSEC", "LAUNCHD", "CX-LMS", "IPFM", "PACKET-CAPTURE", "PIM-BIDI", "IPFIX", "MSRP", "UNKNOWN", "FQTSS", "INJECTED-VIEWS", "MULTICAST", "SELFTEST-MONITOR", "QTP", "SYNCHE", "MOD", "IFA", "FIB")
| alter
    event_category = to_string(arrayindex(event_categories, event_cat_num))
| alter // Extract dynamic entities from the free-text message body
    username = coalesce(
        arrayindex(regextract(msg, "User:\s*([\w\\\-]+)"), 0),
        arrayindex(regextract(msg, "[Uu]ser\s+([\w\\\-]+)\s+(?:logged|logout)"), 0),
        arrayindex(regextract(msg, "(?:succeeded|failed)\s+for\s+user\s+([\w\\\-]+)"), 0),
        arrayindex(regextract(msg, "User\s+\'([^\']+)\'"), 0)),
    login_src_host = coalesce(
        arrayindex(regextract(msg, "logged in from\s+([\w\.\-]+)"), 0),
        arrayindex(regextract(msg, "logged out of REST session from\s+([\w\.\-]+)"), 0)),
    central_host = arrayindex(regextract(msg, "on location\s+([\w\.\-]+)"), 0),
    src_ipv4 = arrayindex(regextract(msg, "from\s+(?:device\s+)?((?:\d{1,3}\.){3}\d{1,3})"), 0),
    vrf_name = arrayindex(regextract(msg, "on VRF\s+(\S+)"), 0),
    session_id = arrayindex(regextract(msg, "in session\s+(\S+)"), 0),
    subscriber = coalesce(
        arrayindex(regextract(msg, "(?:added|removed)\s+subscriber:\s*(\S+?)\.?$"), 0),
        arrayindex(regextract(msg, "subscriber:\s*(\S+?)\.?$"), 0))
| alter // post-extraction formatting
    syslog_version = replex(syslog_version, "^0+", ""),
    user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM mappings
    xdm.event.id = to_string(event_id),
    xdm.event.description = msg,
    xdm.event.log_level = if(
        log_level = "LOG_EMERG", XDM_CONST.LOG_LEVEL_EMERGENCY,
        log_level = "LOG_ALERT", XDM_CONST.LOG_LEVEL_CRITICAL,
        log_level = "LOG_CRIT", XDM_CONST.LOG_LEVEL_CRITICAL,
        log_level = "LOG_ERR", XDM_CONST.LOG_LEVEL_ERROR,
        log_level = "LOG_WARNING", XDM_CONST.LOG_LEVEL_WARNING,
        log_level = "LOG_NOTICE", XDM_CONST.LOG_LEVEL_NOTICE,
        log_level = "LOG_INFO", XDM_CONST.LOG_LEVEL_INFORMATIONAL,
        log_level = "LOG_DEBUG", XDM_CONST.LOG_LEVEL_DEBUG),
    xdm.event.outcome = if(
        msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
        msg ~= "(?i)SUCCESS|SUCCEEDED|logged in|logged out|has been closed|established", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.type = event_category,
    xdm.network.session_id = session_id,
    xdm.observer.type = "Network Switch",
    xdm.observer.unique_identifier = device_hostname,
    xdm.source.host.hostname = login_src_host,
    xdm.source.ipv4 = src_ipv4,
    xdm.source.process.name = application,
    xdm.source.process.pid = to_integer(process_id),
    xdm.source.user.domain = user_domain,
    xdm.source.user.username = username,
    xdm.target.host.hostname = central_host,
    xdm.target.user.username = subscriber;

Schema

hpe_switch_raw

Field Type Array?
_raw_log string
Raw JSON

{
    "hpe_switch_raw": {        
        "_raw_log": {
            "type": "string",
            "is_array": false
        }
    }
}