Rules (XIF)
// Virtualization Story Login format classification rule
// Event type = 3
// Returns the login format: SSO or Session
[RULE: vmware_vcenter_login_format]
alter
xdm.event.type = "Login"
| alter
is_sso_login = if(_raw_log ~= "vmware.sso.Login"),
is_session = if(event_type_name in ("vim.event.BadUsernameSessionEvent", "vim.event.UserLoginSessionEvent"));
// Virtualization Story Login Session fomrat field mapping
// Event type = 3
[RULE: vmware_vcenter_login_format_session_event]
alter
description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
target_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6),
event_id = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 0),
event_type_name = arrayindex(regextract(syslog_msg, "\[([\.a-zA-Z]+)\]"), 0)
| alter
target_ip = arrayindex(regextract(description, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
user_agent = arrayindex(regextract(description, "logged in as (.*)"), 0)
| alter
xdm.observer.name = syslog_hostname,
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(description ~= "response code 200", XDM_CONST.OUTCOME_SUCCESS,
description ~= "Cannot login", XDM_CONST.OUTCOME_FAILED),
xdm.source.user.username = username,
xdm.source.ipv4 = if(is_ipv4(target_ip), target_ip),
xdm.source.host.ipv4_public_addresses = if(
target_ip = null, null,
incidr(target_ip, "10.0.0.0/8"), null,
incidr(target_ip, "192.168.0.0/16"), null,
incidr(target_ip, "172.16.0.0/12"), null, arraycreate(target_ip)),
xdm.source.user_agent = user_agent,
xdm.target.virtualization.vm.hostname = target_hostname;
// Virtualization Story Login SSO fomrat field mapping
// Event type = 3
[RULE: vmware_vcenter_login_format_sso_login]
alter
event_type_name = arrayindex(regextract(syslog_msg, "type\":\"([^\"]+)"), 0),
description = arrayindex(regextract(syslog_msg, "description\":\"([^\"]+)"), 0),
username = arrayindex(regextract(syslog_msg, "user\":\"([^\"]+)"), 0),
target_ip = arrayindex(regextract(syslog_msg, "client\":\"([^\"]+)"), 0),
response_code = arrayindex(regextract(syslog_msg, "response code (\d{1,3})"), 0),
auth_method = arrayindex(regextract(_raw_log, "^\S+\s+\S+\s+\S+\s+([^\s]+)"), 0)
| alter
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.observer.name = syslog_hostname,
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(event_type_name ~= "Success", XDM_CONST.OUTCOME_SUCCESS,
event_type_name ~= "Fail", XDM_CONST.OUTCOME_FAILED),
xdm.target.user.username = if (username ~= "@", arrayindex(regextract(username, "([^\@]+)"), 0), username),
xdm.target.ipv4 = if(is_ipv4(target_ip), target_ip),
xdm.target.user.upn = if(username ~= "@", username),
xdm.target.user.domain = if(username ~= "@", arrayindex(regextract(username, "@([^\s]+)"), 0)),
xdm.auth.auth_method = auth_method,
xdm.network.http.response_code = if(response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, response_code);
// Virtualization Story Account Operations fomrat field mapping
// Event type = 7
[RULE: vmware_vcenter_account_operations_format]
alter
process_id = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+\S+\s+([^\s]+)"), 0),
process_name = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+([^\s]+)"), 0),
source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6),
description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5)
| alter
vm_name = if(description ~= "^Permission rule\s+\S+\s+\S+\s+\S+\s+\S+\s+", arrayindex(regextract(description, "^Permission rule\s+\S+\s+\S+\s+\S+\s+\S+\s+([^\s]+)"), 0), // Extract vm_name from raw start with permission rule
description ~= "^Permission\s+\S+\s+\S+\s+\S+\s+\S+\s+", arrayindex(regextract(description, "^Permission\s+\S+\s+\S+\s+\S+\s+\S+\s+([^\s|,|.]+)"), 0)), // Extract vm_name from raw start with permission created or changed
target_hostname = if(description ~= "on host", arrayindex(regextract(description, "\s+on host\s+([^\s+|\]]+)"), 0), // Extract target host from raw related to account activity
description ~= "on" and description ~= "^Permission", arrayindex(regextract(description, "\s+on\s+([^\s+|,]+)"), 0)), // Extract target host from raw related to permission activity
target_username = if(description ~= "^Account", arrayindex(regextract(description, "^Account ([^\s]+)"), 0), // Extract user from raw related to account activity
description ~= "^Permission", arrayindex(regextract(description, "for ([^\s]+)"), 0)) // Extract user from raw related to permission activity
| alter
xdm.observer.name = syslog_hostname,
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.description = syslog_msg,
xdm.event.type = "Account Operations",
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(description !~= "Fail", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.operation = if(event_type_name in ("vim.event.AccountCreatedEvent", "vim.event.PermissionAddedEvent"), XDM_CONST.OPERATION_TYPE_CREATE,
event_type_name ~= "Removed", XDM_CONST.OPERATION_TYPE_DELETE,
event_type_name ~= "Updated", XDM_CONST.OPERATION_TYPE_UPDATE),
xdm.source.virtualization.vm.hostname = vm_name,
xdm.source.virtualization.data_center.name = source_hostname,
xdm.source.user.username = source_username,
xdm.target.process.identifier = process_id,
xdm.target.process.name = process_name,
xdm.target.host.hostname = target_hostname,
xdm.target.user.username = target_username;
// Virtualization Story File/Datastore Event fomrat field mapping
// Event type = 8
[RULE: vmware_vcenter_file_or_datastore_format]
alter
description = if(syslog_msg ~= "Deletion of file or directory", arrayindex(regextract(syslog_msg, "\[((?:[^\[\]]|\[[^\[\]]*\])*)\]"), 8),
arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8)),
source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5)
| alter
source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6),
target_hypervisor_hostname = arrayindex(regextract(description, "on ([^\s]+) in"), 0),
target_hostname = arrayindex(regextract(description, "from ([^\s]+) was initiated"), 0),
datastore_name = coalesce(arrayindex(regextract(description, "Created VMFS datastore ([^\s]+)"), 0),
arrayindex(regextract(description, "Discovered datastore ([^\s]+) on"), 0),
arrayindex(regextract(description, "\[([^\]]+)\]"), 0)), // Extract datastore name from brackets [%datastore%]
datastore_uuid = arrayindex(regextract(description, "\((ds:\/\/[^\)]+)\)"), 0),
file_path = arrayindex(regextract(description, "\]\s+(.*?)\s+from"), 0),
initiator_str = arrayindex(regextract(description, "initiated from '([^\']+)"), 0),
outcome_str = arrayindex(regextract(description, "completed with status ([^\s]+)"), 0),
action = arrayindex(regextract(description, "with status '([^\']+)"), 0)
| alter
xdm.observer.name = syslog_hostname,
xdm.event.type = "File/Datastore Event",
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.operation_sub_type = action,
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.outcome = if(description contains "Fail" or outcome_str = "failure", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
xdm.event.operation = if(
description contains "Created", XDM_CONST.OPERATION_TYPE_CREATE,
description contains "Discovered", XDM_CONST.OPERATION_TYPE_READ,
description contains "Deletion", XDM_CONST.OPERATION_TYPE_DELETE),
xdm.source.virtualization.data_center.name = source_hostname,
xdm.source.user.username = source_username,
xdm.source.user_agent = arrayindex(split(initiator_str, "@"), 0),
xdm.source.ipv4 = if(is_ipv4(arrayindex(split(initiator_str, "@"), 1)), arrayindex(split(initiator_str, "@"), 1), null),
xdm.target.virtualization.data_center.name = target_hostname,
xdm.target.virtualization.data_store.name = datastore_name,
xdm.target.virtualization.data_store.uuid = datastore_uuid,
xdm.target.host.hostname = target_hypervisor_hostname,
xdm.target.file.path = file_path,
xdm.target.file.filename = arrayindex(split(file_path , "/"), 1);
// Virtualization Story VM Operations fomrat field mapping
// Event type = 9
[RULE: vmware_vcenter_vm_operation_format]
alter
description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
vm_name = if(description ~= "^Creating", arrayindex(regextract(description, "^Creating ([^\s]+)"), 0), // Extract vm name from raw related to Creating activity
description ~= "^Guest OS", arrayindex(regextract(description, "^Guest OS (?:reboot|shut down) for ([^\s]+) on"), 0), // Extract vm name from raw related to Guest OS activity
description ~= "^Virtual machine ", arrayindex(regextract(description, "^Virtual machine ([^\s]+)"), 0), // Extract vm name from raw start with Virtual Machine
description ~= " cloned to", coalesce(arrayindex(regextract(description, "(.+?) cloned to"), 0), arrayindex(regextract(description, "([^\s]+) cloned to"), 0)), // Extract vm name from raw related to cloned to activity (space-aware extraction added, original kept as fallback)
description ~= "^Created virtual machine ", coalesce(arrayindex(regextract(description, "^Created virtual machine (.+?) on"), 0), arrayindex(regextract(description, "^Created virtual machine ([^\s]+) on"), 0)), // Extract vm name from raw related to VM created (space-aware extraction added, original kept as fallback)
description ~= "^Template ", arrayindex(regextract(description, "^Template (.+?)\s"), 0), // Extract vm name from raw start with Template
description ~= "^Removed ", coalesce(arrayindex(regextract(description, "^Removed\s(.+?)\s+on\s"), 0), arrayindex(regextract(description, "^Removed\s([^\s]+)"), 0)), // Extract vm name from raw start with Removed (space-aware extraction added, original kept as fallback)
description ~= "^Registered ", arrayindex(regextract(description, "^Registered\s([^\s]+)"), 0), // Extract vm name from raw start with Registered
description ~= "^Renamed ", coalesce(arrayindex(regextract(description, "^Renamed\s(.+?)\s+from\s"), 0), arrayindex(regextract(description, "^Renamed\s([^\s]+)"), 0)), // Extract vm name from raw start with Renamed (space-aware extraction added, original kept as fallback)
description ~= "^Reconfigured ", coalesce(arrayindex(regextract(description, "Reconfigured (.+?) on\s"), 0), arrayindex(regextract(description, "Reconfigured ([^\s]+)"), 0)), // Extract vm name from raw start with Reconfigured (space-aware extraction added, original kept as fallback)
description ~= "^\S+\s+\-", arrayindex(regextract(description, "^([^\s]+) - "), 0), //Extract vm name from the start of the string (before " - ")
description ~= "^\S+\s+on", coalesce(arrayindex(regextract(description, "^(.+?) on \S+\s+in "), 0), arrayindex(regextract(description, "^([^\s]+) on \S+\s+in "), 0))), //Extract vm name from the start of the string (before " on ") (space-aware extraction added, original kept as fallback)
target_vm_name = coalesce(arrayindex(regextract(description, "cloned to (.+?) on"), 0), arrayindex(regextract(description, "cloned to ([^\s]+) on"), 0)),
target_hostname = if(description ~= "^Removed", arrayindex(regextract(description, "Removed\s+\S+\s+on\s+([^\s]+)"), 0), // Extract target host from raw start with Removed
description ~= "^Guest OS", arrayindex(regextract(description, "on\s+([^\s]+)\s+in"), 0), // Extract target host from raw start with Guest OS
arrayindex(regextract(description, " to ([^\s]+),"), 0)),
target_datacenter = coalesce(arrayindex(regextract(description, ",\s+\S+\s+in ([^\s]+)$"), 0), arrayindex(regextract(description, "\sin\s+(.+?)\.?$"), 0)),
original_esxi_name = if(description ~= "relocated from\s+\S+", arrayindex(regextract(description, "relocated from\s+([^\,]+)"), 0),
description ~= "Creating ([^\s]+) on", arrayindex(regextract(description, "Creating ([^\s]+) on"), 0)),
datastore_name = if(description ~= "\S+\,\s+\S+\s+in", arrayindex(regextract(description, "\S+\,\s+([^\s]+)\s+in"), 0)),
target_datastore_name = if(description ~= "\s+to\s+\S+\,\s+\S+\s+in", arrayindex(regextract(description, "\s+to\s+\S+\,\s+([^\s]+)"), 0)),
old_vm_name = if(description ~= "from\s+\S+\s+to", coalesce(arrayindex(regextract(description, "from\s+(.+?)\s+to\s"), 0), arrayindex(regextract(description, "from\s+([^\s]+)\s+to"), 0))), // Extract old vm name from event start with Renamed (space-aware extraction added, original kept as fallback)
new_vm_name = if(description ~= "deployed to", arrayindex(regextract(description, "deployed to ([^\s]+)"), 0), // Extract new vm name from event start with Template
description ~= "from\s.+\sto\s+.+\s+in\s", arrayindex(regextract(description, "\sto\s+(.+?)\s+in\s"), 0), // Extract new vm name from Renamed event when names contain spaces (added for CRTX-243601)
description ~= "from\s\S+\sto\s+\S+\s+in\s", coalesce(arrayindex(regextract(description, "\sto\s+(.+?)\s+in\s"), 0), arrayindex(regextract(description, "from\s\S+\sto\s+([^\s]+)"), 0))) // Extract new vm name from event start with Renamed (space-aware extraction added, original kept as fallback)
| alter
xdm.observer.name = syslog_hostname,
xdm.event.type = "VM Operations",
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(description contains "Fail", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.operation = if(event_type_name in ("vim.event.VmCreatedEvent", "*VM Created*", "vim.event.VmClonedEvent", "*VM Cloned*"), XDM_CONST.OPERATION_TYPE_CREATE,
event_type_name in ("vim.event.VmPoweredOnEvent", "*VM Power On*", "vim.event.VmPoweredOffEvent", "*VM Power Off*", "vim.event.VmGuestRebootEvent", "*Guest OS VM Reboot*", "vim.event.VmGuestShutdownEvent", "*Guest OS VM Shutdown*", "vim.event.VmMigratedEvent", "*VM Migrated*", "vim.event.VmResettingEvent", "*VM Resetting*", "vim.event.VmSuspendedEvent", "*VM Suspended*"), XDM_CONST.OPERATION_TYPE_STATUS_CHANGE,
event_type_name = "vim.event.VmRemovedEvent", XDM_CONST.OPERATION_TYPE_DELETE,
event_type_name in ("vim.event.VmRegisteredEvent","vim.event.VmDeployedEvent", "vim.event.VmReconfiguredEvent", "vim.event.VmRelocatedEvent"), XDM_CONST.OPERATION_TYPE_CONFIG_CHANGE,
event_type_name = "vim.event.VmRenamedEvent", XDM_CONST.OPERATION_TYPE_UPDATE),
xdm.source.user.username = source_username,
xdm.source.host.hostname = original_esxi_name,
xdm.target.host.hostname = target_hostname,
xdm.target.resource_before.name = old_vm_name,
xdm.target.resource.name = new_vm_name,
xdm.source.virtualization.data_center.name = source_hostname,
xdm.target.virtualization.data_center.name = target_datacenter,
xdm.source.virtualization.data_store.name = datastore_name,
xdm.target.virtualization.data_store.name = target_datastore_name,
xdm.source.virtualization.vm.hostname = coalesce(vm_name, old_vm_name),
xdm.target.virtualization.vm.hostname = coalesce(target_vm_name, new_vm_name, if(event_type_name = "vim.event.VmReconfiguredEvent", vm_name));
// Virtualization Story vSphere Task Event fomrat field mapping
// Event type = 10
[RULE: vmware_vcenter_vsphere_task_format]
alter
description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
xdm.observer.name = syslog_hostname,
xdm.event.type = "vSphere Task Event",
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(description contains "Fail", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.operation = XDM_CONST.OPERATION_TYPE_CREATE,
xdm.source.virtualization.data_center.name = source_hostname,
xdm.source.user.username = source_username;
// Virtualization Story Host Events fomrat field mapping
// Event type = 11
[RULE: vmware_vcenter_host_event_format]
alter
description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
target_hostname = coalesce(
arrayindex(regextract(description, "Host ([^\s]+) in"), 0),
arrayindex(regextract(description, "Connected to ([^\s]+) in"), 0),
arrayindex(regextract(description, "Disconnected from ([^\s]+) in"), 0),
arrayindex(regextract(description, "Added ([^\s]+) to"), 0),
arrayindex(regextract(description, "Removed host ([^\s]+) in"), 0))
| alter
xdm.observer.name = syslog_hostname,
xdm.event.type = "Host Events",
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.operation = XDM_CONST.OPERATION_TYPE_CREATE,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(description contains "Fail" or description contains "not responding", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.source.virtualization.data_center.name = source_hostname,
xdm.source.user.username = source_username,
xdm.target.host.hostname = target_hostname;
// Virtualization Story Scheduled Task Event fomrat field mapping
// Event type = 12
[RULE: vmware_vcenter_scheduled_task_format]
alter
description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
target_task_name = arrayindex(regextract(description, "Created task (.+?) on "), 0),
vm_name = arrayindex(regextract(description, " on ([^\s]+) in datacenter"), 0)
| alter
xdm.observer.name = syslog_hostname,
xdm.event.type = "Scheduled Task Event",
xdm.event.description = syslog_msg,
xdm.event.original_event_type = event_type_name,
xdm.event.outcome_reason = description,
xdm.event.outcome = if(description contains "Fail", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
xdm.event.operation = if(
description contains "Created", XDM_CONST.OPERATION_TYPE_CREATE,
description contains "Removed", XDM_CONST.OPERATION_TYPE_DELETE,
description contains "Updated", XDM_CONST.OPERATION_TYPE_UPDATE),
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.source.virtualization.data_center.name = source_hostname,
xdm.source.user.username = source_username,
xdm.target.virtualization.vm.hostname = vm_name,
xdm.target.virtualization.task.name = target_task_name;
// Virtualization Story vcsa-audit fomrat field mapping
// Event types Command Execution and File/Datastore Event are mapped according to syscall_id extracted from parsed_fields
[RULE: vmware_vcenter_vcsa_audit_format]
alter
event_name_clean = trim(parsed_fields -> type, "["),
syscall_id = to_integer(parsed_fields -> syscall),
pid = coalesce(parsed_fields -> pid, arrayindex(regextract(_raw_log, "(?:^| )pid=([0-9]+)"), 0)),
ppid = parsed_fields -> ppid,
comm = parsed_fields -> comm,
uid = parsed_fields -> uid,
success = parsed_fields -> success,
res = parsed_fields -> res
| alter
xdm.observer.name = syslog_hostname,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
xdm.event.type = if(syscall_id in (59,322), "Command Execution",
syscall_id in (2,3,85,22,257,292,0,1,17,18,19,20,295,296,82,87,263,264,79,83,84,86,88,89,217,258,260,266,4,5,6,9,11,21,76,90,91,92,93,133), "File/Datastore Event"),
xdm.event.operation = if(event_name_clean = "SYSCALL", event_name_clean, XDM_CONST.OPERATION_TYPE_AUDIT),
xdm.event.operation_sub_type = coalesce(to_string(syscall_id), event_name_clean),
xdm.alert.name = event_name_clean,
xdm.alert.description = parsed_fields -> msg,
xdm.session_context_id = parsed_fields -> ses,
xdm.event.outcome = if(success = "yes" or res = "1", XDM_CONST.OUTCOME_SUCCESS,
success = "no" or res = "0", XDM_CONST.OUTCOME_FAILED,
XDM_CONST.OUTCOME_UNKNOWN),
xdm.event.outcome_reason = parsed_fields -> exit,
xdm.source.process.pid = to_number(ppid),
xdm.target.user.username = uid,
xdm.target.user.identifier = uid,
xdm.target.process.name = comm,
xdm.target.process.parent_id = if(event_name_clean = "SYSCALL", null, ppid),
xdm.target.process.executable.path = parsed_fields -> exe,
xdm.target.process.pid = to_number(pid),
xdm.target.process.command_line = if(event_name_clean = "SYSCALL", null, comm);
// Virtualization Story general field mapping
[RULE: vmware_vcenter_common_fields]
alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\d?"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d?\s?[^\s]+\d{2}:\d{2}:\d{2}[^\s]*\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0),
process_id = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+\S+\s+([^\s]+)"), 0),
process_name = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+([^\s]+)"), 0)
| alter
xdm.event.tags = arraycreate("VIRTUALIZATION"),
xdm.source.process.identifier = process_id,
xdm.source.process.name = process_name,
xdm.event.format = if(_raw_log ~= "^<\d+>1\s", "0",
_raw_log ~= "^<\d+>\s", "1");
// Virtualization Story classification rule
// Return: 1. is_virtualization = true or false
// 2. vCenter Log Format
[RULE: vmware_vcenter_virtualization_classification]
alter
event_type_name = arrayindex(regextract(_raw_log, "\[([\.a-zA-Z]+)\]"), 0)
| alter
is_login_event = if(event_type_name in ("vim.event.BadUsernameSessionEvent", "vim.event.UserLoginSessionEvent", "vim.event.UserLogoutSessionEvent") or _raw_log ~= "vmware.sso.Login"),
is_account_operation_event = if(event_type_name in ("vim.event.AccountCreatedEvent", "vim.event.AccountUpdatedEvent", "vim.event.PermissionAddedEvent", "vim.event.PermissionRemovedEvent", "vim.event.PermissionUpdatedEvent")),
is_file_or_datastore_event = if(event_type_name in ("vim.event.VMFSDatastoreCreatedEvent", "vim.event.DatastoreDiscoveredEvent", "vim.event.DatastoreFileDeletedEvent")),
is_vm_operations_event = if(event_type_name in ("vim.event.VmGuestRebootEvent", "vim.event.VmGuestShutdownEvent", "vim.event.VmMigratedEvent", "vim.event.VmBeingCreatedEvent", "vim.event.VmClonedEvent", "vim.event.VmCreatedEvent", "vim.event.VmDeployedEvent", "vim.event.VmPoweredOffEvent", "vim.event.VmPoweredOnEvent", "vim.event.VmReconfiguredEvent", "vim.event.VmRelocatedEvent", "vim.event.VmRemovedEvent", "vim.event.VmRenamedEvent", "vim.event.VmResettingEvent", "vim.event.VmSuspendedEvent", "vim.event.VmRegisteredEvent")),
is_vsphere_task_event = if(event_type_name in ("vim.event.TaskEvent")),
is_host_event = if(event_type_name in ("vim.event.HostConnectionLostEvent", "vim.event.HostConnectedEvent", "vim.event.HostDisconnectedEvent", "vim.event.HostAddedEvent", "vim.event.HostRemovedEvent")),
is_scheduled_task_event = if(event_type_name in ("vim.event.ScheduledTaskCreatedEvent")),
is_vcsa_audit = if(_raw_log ~= "vcsa-audit")
| alter
is_virtualization = if (is_login_event
or is_account_operation_event
or is_file_or_datastore_event
or is_vm_operations_event
or is_vsphere_task_event
or is_host_event
or is_scheduled_task_event
or is_vcsa_audit);
// Modeling Rule
[MODEL: dataset = "vmware_vcenter_raw"]
//Virtualization Story - Format: Login Session
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| call vmware_vcenter_login_format
| filter is_session and not is_sso_login
| call vmware_vcenter_common_fields
| call vmware_vcenter_login_format_session_event;
//Virtualization Story - Format: Login SSO
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| call vmware_vcenter_login_format
| filter is_sso_login and not is_session
| call vmware_vcenter_common_fields
| call vmware_vcenter_login_format_sso_login;
//Virtualization Story - Fomrat: Account Operations
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_account_operation_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_account_operations_format;
//Virtualization Story - Fomrat: File \ Datastore
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_file_or_datastore_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_file_or_datastore_format;
//Virtualization Story - Fomrat: VM Operations
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_vm_operations_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_vm_operation_format;
//Virtualization Story - Fomrat: vSphere Task events
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_vsphere_task_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_vsphere_task_format;
//Virtualization Story - Fomrat: Host Events
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_host_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_host_event_format;
//Virtualization Story - Fomrat: Scheduled Task
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_scheduled_task_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_scheduled_task_format;
//Virtualization Story - Fomrat: vcsa-audit
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_vcsa_audit
| call vmware_vcenter_common_fields
| call vmware_vcenter_vcsa_audit_format;
/// End of Virtualization Story Enhancement
// sps (Storage management service) events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "sps" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
process_identifier = arrayindex(regextract(syslog_msg, "\[([\w-]+)\]\s+\w+\s+opId="), 0),
thread_id = to_integer(arrayindex(regextract(syslog_msg, "thread\-(\d+)\]"), 0)),
msg_severity = arrayindex(regextract(syslog_msg, "\[[\w-]+\]\s+(\w+)"), 0),
operation_id = arrayindex(regextract(syslog_msg, "opId=(\S+)"), 0),
app_component = arrayindex(regextract(syslog_msg, "opId=\S*\s+(\S+)"), 0),
event_payload = arrayindex(regextract(syslog_msg, "opId=\S*\s+\S+\s+\-\s+(.+)"), 0)
| alter
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
datastore = arrayindex(regextract(event_payload, "datastore=(\S+)"), 0),
duration_ms = to_integer(coalesce(arrayindex(regextract(event_payload, "took\s+(\d+)\s+millis"), 0),
arrayindex(regextract(event_payload, "Time\s+taken:\s+(\d+)\s+ms"), 0))),
url = arrayindex(regextract(event_payload, "(https:\S+)"), 0)
| alter
port = to_integer(arrayindex(regextract(url, ":(\d+)"), 0))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.duration = duration_ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.session_context_id = operation_id,
xdm.source.application.name = app_component,
xdm.source.host.hostname = syslog_hostname,
xdm.source.process.thread_id = thread_id,
xdm.source.process.name = event_type,
xdm.source.process.identifier = process_identifier,
xdm.target.port = port,
xdm.target.url = url,
xdm.target.resource.type = if(datastore != null, "datastore"),
xdm.target.resource.value = datastore;
// vpxd-svcs-perf events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vpxd-svcs-perf" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
process_identifier = arrayindex(regextract(syslog_msg, "\w+\s+\[(\S+)"), 0),
thread_id = to_integer(arrayindex(regextract(syslog_msg, "pool\-\d+\-thread\-(\d+)"), 0)),
msg_severity = arrayindex(regextract(syslog_msg, "(\w+)\s+\S+\s+opId="), 0),
app_component = arrayindex(regextract(syslog_msg, "\w+\s+(\S+)\s+opId="), 0),
operation_id = arrayindex(regextract(syslog_msg, "opId=([^\]]+)"), 0),
operation = arrayindex(regextract(syslog_msg, "Operation (\S+) took"), 0),
event_payload = arrayindex(regextract(syslog_msg, "opId=\S*\]\s+(.+)"), 0),
duration_ms = to_integer(arrayindex(regextract(syslog_msg, "took\s+(\d+)\s+ms"), 0))
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.operation_sub_type = operation,
xdm.event.duration = duration_ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.application_protocol = if(event_payload ~= "LDAP", "LDAP"),
xdm.network.ldap.operation = if(event_payload ~= "Requesting LDAP connection", XDM_CONST.LDAP_OPERATION_BIND_REQUEST),
xdm.session_context_id = operation_id,
xdm.source.process.thread_id = thread_id,
xdm.source.process.name = event_type,
xdm.source.process.identifier = process_identifier,
xdm.source.application.name = app_component,
xdm.source.host.hostname = syslog_hostname;
// vpxd-main (VMware vCenter-Services), vsan-health-main (virtual storage area network health service) & vum-vmacore (vSphere Update Manager) events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type in( "vsan-health-main", "vpxd-main", "vum-vmacore", "StatsMonitor", "vdtc-main") and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
operation_id = arrayindex(regextract(syslog_msg, "opI[dD]=([\w-]+)"), 0),
sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0),
user = replex(coalesce(arrayindex(regextract(syslog_msg, "GetUserInfo\w+\(([^,]+)"), 0), arrayindex(regextract(syslog_msg, "user:\s*(\S+)"), 0), arrayindex(regextract(syslog_msg, ":\s*User\s+(\S+)"), 0), arrayindex(regextract(syslog_msg, "]\s+User[\s:]+([^\s,]+)"), 0)), "\\+", "\\"),
http_response_code = arrayindex(regextract(syslog_msg, "code:\s+(\d+)"), 0),
event_payload = coalesce(arrayindex(regextract(syslog_msg, "\w+=\S+\]\s+(.+)"), 0), trim(arrayindex(regextract(syslog_msg, "v\[\d+\]\s+\[.+?\]\s+(.+)"), 0), "--"), syslog_msg )
| alter
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
session_id = coalesce(arrayindex(regextract(event_payload, "session[\:\s\[\<]*([a-fA-F\d\-]{8,})"), 0), arrayindex(regextract(event_payload, "--\s+([a-fA-F\d-]{8,})"), 0))
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.session_id = session_id,
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.session_context_id = operation_id,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.process.pid = pid,
xdm.source.process.name = event_type,
xdm.source.application.name = sub_module,
xdm.source.host.hostname = syslog_hostname;
// dnsmasq events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "dnsmasq" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
event_payload = arrayindex(regextract(syslog_msg, "dnsmasq\[\d+\]:\s+(.+)"), 0)
| alter
// extract the severity from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
dns_event_fields = regextract(event_payload, "(\S+)")
| alter
dns_operation = arrayindex(dns_event_fields, 0),
dns_record_name = arrayindex(dns_event_fields, 1),
dns_direction_context = arrayindex(dns_event_fields, 2),
dns_record_value = arrayindex(dns_event_fields, 3)
| alter
dns_query_type = arrayindex(regextract(dns_operation, "query\[([^\]]+)"), 0),
dns_client_ipv4 = if(dns_direction_context = "from" and dns_record_value ~= "\d+\.", dns_record_value),
dns_client_ipv6 = if(dns_direction_context = "from" and dns_record_value ~= "[\da-fA-F]+:", dns_record_value),
dns_forwarder_ipv4 = if(dns_operation = "forwarded" and dns_record_value ~= "\d+\.", dns_record_value),
dns_forwarder_ipv6 = if(dns_operation = "forwarded" and dns_record_value ~= "[\da-fA-F]+:", dns_record_value)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.operation_sub_type = dns_operation,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.intermediate.ipv4 = dns_forwarder_ipv4,
xdm.intermediate.ipv6 = dns_forwarder_ipv6,
xdm.network.application_protocol = "DNS",
xdm.network.dns.dns_resource_record.type = if(dns_record_value ~= "CNAME", XDM_CONST.DNS_RECORD_TYPE_CNAME),
xdm.network.dns.dns_resource_record.name = dns_record_name,
xdm.network.dns.dns_resource_record.value = if(dns_direction_context = "is", dns_record_value),
xdm.network.dns.dns_question.type = if(dns_query_type="A",XDM_CONST.DNS_RECORD_TYPE_A, dns_query_type="AAAA",XDM_CONST.DNS_RECORD_TYPE_AAAA, dns_query_type="AFSDB",XDM_CONST.DNS_RECORD_TYPE_AFSDB, dns_query_type="APL",XDM_CONST.DNS_RECORD_TYPE_APL, dns_query_type="CAA",XDM_CONST.DNS_RECORD_TYPE_CAA, dns_query_type="CDNSKEY",XDM_CONST.DNS_RECORD_TYPE_CDNSKEY, dns_query_type="CDS",XDM_CONST.DNS_RECORD_TYPE_CDS, dns_query_type="CERT",XDM_CONST.DNS_RECORD_TYPE_CERT, dns_query_type="CNAME",XDM_CONST.DNS_RECORD_TYPE_CNAME, dns_query_type="CSYNC",XDM_CONST.DNS_RECORD_TYPE_CSYNC, dns_query_type="DHCID",XDM_CONST.DNS_RECORD_TYPE_DHCID, dns_query_type="DLV",XDM_CONST.DNS_RECORD_TYPE_DLV, dns_query_type="DNAME",XDM_CONST.DNS_RECORD_TYPE_DNAME, dns_query_type="DNSKEY",XDM_CONST.DNS_RECORD_TYPE_DNSKEY, dns_query_type="DS",XDM_CONST.DNS_RECORD_TYPE_DS, dns_query_type="EUI48",XDM_CONST.DNS_RECORD_TYPE_EUI48, dns_query_type="EUI64",XDM_CONST.DNS_RECORD_TYPE_EUI64, dns_query_type="HINFO",XDM_CONST.DNS_RECORD_TYPE_HINFO, dns_query_type="HIP",XDM_CONST.DNS_RECORD_TYPE_HIP, dns_query_type="HTTPS",XDM_CONST.DNS_RECORD_TYPE_HTTPS, dns_query_type="IPSECKEY",XDM_CONST.DNS_RECORD_TYPE_IPSECKEY, dns_query_type="KEY",XDM_CONST.DNS_RECORD_TYPE_KEY, dns_query_type="KX",XDM_CONST.DNS_RECORD_TYPE_KX, dns_query_type="LOC",XDM_CONST.DNS_RECORD_TYPE_LOC, dns_query_type="MX",XDM_CONST.DNS_RECORD_TYPE_MX, dns_query_type="NAPTR",XDM_CONST.DNS_RECORD_TYPE_NAPTR, dns_query_type="NS",XDM_CONST.DNS_RECORD_TYPE_NS, dns_query_type="NSEC",XDM_CONST.DNS_RECORD_TYPE_NSEC, dns_query_type="NSEC3",XDM_CONST.DNS_RECORD_TYPE_NSEC3, dns_query_type="NSEC3PARAM",XDM_CONST.DNS_RECORD_TYPE_NSEC3PARAM, dns_query_type="OPENPGPKEY",XDM_CONST.DNS_RECORD_TYPE_OPENPGPKEY, dns_query_type="PTR",XDM_CONST.DNS_RECORD_TYPE_PTR, dns_query_type="RRSIG",XDM_CONST.DNS_RECORD_TYPE_RRSIG, dns_query_type="RP",XDM_CONST.DNS_RECORD_TYPE_RP, dns_query_type="SIG",XDM_CONST.DNS_RECORD_TYPE_SIG, dns_query_type="SMIMEA",XDM_CONST.DNS_RECORD_TYPE_SMIMEA, dns_query_type="SOA",XDM_CONST.DNS_RECORD_TYPE_SOA, dns_query_type="SRV",XDM_CONST.DNS_RECORD_TYPE_SRV, dns_query_type="SSHFP",XDM_CONST.DNS_RECORD_TYPE_SSHFP, dns_query_type="SVCB",XDM_CONST.DNS_RECORD_TYPE_SVCB, dns_query_type="TA",XDM_CONST.DNS_RECORD_TYPE_TA, dns_query_type="TKEY",XDM_CONST.DNS_RECORD_TYPE_TKEY, dns_query_type="TLSA",XDM_CONST.DNS_RECORD_TYPE_TLSA, dns_query_type="TSIG",XDM_CONST.DNS_RECORD_TYPE_TSIG, dns_query_type="TXT",XDM_CONST.DNS_RECORD_TYPE_TXT, dns_query_type="URI",XDM_CONST.DNS_RECORD_TYPE_URI, dns_query_type="ZONEMD",XDM_CONST.DNS_RECORD_TYPE_ZONEMD, to_string(dns_query_type)),
xdm.source.process.pid = pid,
xdm.source.process.name = event_type,
xdm.source.ipv4 = dns_client_ipv4,
xdm.source.ipv6 = dns_client_ipv6,
xdm.source.host.hostname = syslog_hostname;
// analytics events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "analytics" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_internal_header = arrayfilter(split(arrayindex(regextract(syslog_msg, "(\d{4}\-\S+\s+\S+\s+\S+\s+\S+)"), 0)), len("@element") > 0),
event_payload = arrayindex(regextract(syslog_msg, "\d{4}\-\S+\s+\S+\s+\S+\s+\S+(.+)"), 0),
json_payload = arrayindex(regextract(syslog_msg, "\-\-\>(\{.+\})"), 0)
| alter
// internal header fields
thread_identifier = arrayindex(msg_internal_header, 1),
msg_severity = uppercase(arrayindex(msg_internal_header, 2)),
application_component_class = arrayindex(msg_internal_header, 3)
| alter
// payload fields
target_url = arrayindex(regextract(event_payload, "(https?\S+)"), 0),
collectorID = coalesce(arrayindex(regextract(event_payload, "collectorId[:=]([\w\.\-]+\w)"), 0), arrayindex(regextract(event_payload, "spec\s+for\s+([\w\.\-]+\w)"), 0)),
collectorInstanceID = arrayindex(regextract(event_payload, "[iI]nstanceId[:=]([\w\.\-]+)"), 0),
trust_store_path = arrayindex(regextract(event_payload, "trust\s+store\s+at\s+path:\s+(\S+)"), 0),
reason = coalesce(arrayindex(regextract(event_payload, "Reason\:\s*(\S{3}.+)"), 0), arrayindex(regextract(event_payload, "The\s+reason[^\:]+\:(.+);"), 0)),
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
http_response_code = json_payload -> status, // for json payloads
api_endpoint_path = json_payload -> path // for json payloads
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = coalesce(json_payload, syslog_msg),
xdm.event.outcome = if(event_payload ~= "fail", XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = reason,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.http.url = coalesce(target_url, api_endpoint_path),
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.observer.name = collectorID,
xdm.observer.unique_identifier = collectorInstanceID,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.application.name = application_component_class,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.type = if(trust_store_path != null, "Trust Store Path"),
xdm.target.resource.value = trust_store_path;
// eam-access (VMware ESX Agent Manager Access) events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "eam-access" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter tomcat_access_log_fields = arrayindex(regextract(syslog_msg, "(\".+)"), 0)
| alter
client_remote_machine = arrayindex(regextract(syslog_msg, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0),
server_local_address = arrayindex(regextract(syslog_msg, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 1),
thread_identifier = arrayindex(regextract(syslog_msg, "\[(\S+)\]"), 0),
http_method = arrayindex(regextract(tomcat_access_log_fields, "\"(\w+)"), 0),
uri = arrayindex(regextract(tomcat_access_log_fields, "\"\w+\s+(\S+)"), 0),
http_response_code = arrayindex(regextract(tomcat_access_log_fields, "\"\s+(\d+)"), 0),
bytes_sent = to_number(arrayindex(regextract(tomcat_access_log_fields, "\d+\s+(\d+)"), 0)),
process_time_ms = to_integer(arrayindex(regextract(_raw_log, "time\s+(\d+)\s+msec"), 0)),
user_agent = arrayindex(regextract(tomcat_access_log_fields, "\]\s+\"([^\"]+)"), 0),
// extract the severity from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.duration = process_time_ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.http.url = uri,
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.source.ipv4 = client_remote_machine,
xdm.source.user_agent = user_agent,
xdm.source.sent_bytes = bytes_sent,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.value = uri,
xdm.target.ipv4 = server_local_address;
// envoy-access events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "envoy-access" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0),
event_payload = coalesce(arrayindex(regextract(syslog_msg, "\w+=\S+\]\s+(.+)"), 0), trim(arrayindex(regextract(syslog_msg, "v\[\d+\]\s+\[.+?\]\s+(.+)"), 0), "--"), syslog_msg )
| alter envoy_proxy_access_log_fields = regextract(event_payload, "\S+")
| alter
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
http_method = ltrim(arrayindex(envoy_proxy_access_log_fields, 1), "\""),
uri = arrayindex(envoy_proxy_access_log_fields, 2),
http_protocol = rtrim(arrayindex(envoy_proxy_access_log_fields, 3), "\""),
http_response_code = arrayindex(envoy_proxy_access_log_fields, 4),
bytes_received = to_number(arrayindex(envoy_proxy_access_log_fields, 7)),
bytes_sent = to_number(arrayindex(envoy_proxy_access_log_fields, 8)),
client_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 12), "(\d+[^\:]+)"), 0),
client_port = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 12), ":(\d{1,5})"), 0),
server_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 13), "(\d+[^\:]+)"), 0),
server_port = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 13), ":(\d{1,5})"), 0),
client2_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 14), "(\d+[^\:]+)"), 0),
proxy_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 15), "(\d+[^\:]+)"), 0),
proxy_port = to_integer(arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 15), ":(\d{1,5})"), 0))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.intermediate.ipv4 = proxy_ip,
xdm.intermediate.host.ipv4_addresses = arraycreate(proxy_ip),
xdm.intermediate.port = proxy_port,
xdm.network.application_protocol = http_protocol,
xdm.network.http.url = uri,
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.source.application.name = sub_module,
xdm.source.ipv4 = client_ip,
xdm.source.port = to_integer(client_port),
xdm.source.host.ipv4_addresses = arraycreate(client_ip, client2_ip),
xdm.source.sent_bytes = bytes_sent,
xdm.source.process.pid = pid,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.sent_bytes = bytes_received,
xdm.target.resource.value = uri,
xdm.target.port = to_integer(server_port),
xdm.target.ipv4 = server_ip,
xdm.target.host.ipv4_addresses = arraycreate(server_ip);
// trustmanagement-gc
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "trustmanagement-gc" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// trustmanagement-svcs
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "trustmanagement-svcs" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
thread_identifier = arrayindex(regextract(syslog_msg, "\w+\s+\[([\w-]+)\s+"), 0),
msg_severity = arrayindex(regextract(syslog_msg, "(\w+)\s+\S+\s+opId="), 0),
app_class_component = arrayindex(regextract(syslog_msg, "\w+\s+(\S+)\s+opId="), 0),
operation_id = arrayindex(regextract(syslog_msg, "opId=([^\]]+)"), 0),
event_payload = arrayindex(regextract(syslog_msg, "opId=\S*\]\s+(.+)"), 0)
| alter
user = replex(coalesce(arrayindex(regextract(event_payload, "User (\S+)"), 0), arrayindex(regextract(event_payload, "\[value=([^,]+)"), 0)), "\\+", "\\"),
group = regextract(event_payload, "group (\S+)"),
ms = to_integer(coalesce( arrayindex(regextract(event_payload, "(?:ms|Ms|MS)(?:\W+|\s+)(\d+)"), 0), arrayindex(regextract(event_payload, "(\d+)\s+ms"), 0))),
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.duration = ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.session_context_id = operation_id,
xdm.source.application.name = app_class_component,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.user.groups = group,
xdm.source.host.hostname = syslog_hostname;
// eam-api
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "eam-api" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = arrayindex(regextract(syslog_msg, "\|\s*(\w+)"), 0),
module = arrayindex(regextract(syslog_msg, "\|\s*(\w+)"), 1),
app_component = arrayindex(regextract(syslog_msg, "\|\s*(\S+)"), 2),
pid = to_integer(arrayindex(regextract(syslog_msg, "\|\s*(\d+)\s*\|"), 0)),
event_payload = arrayindex(regextract(syslog_msg, "\|\s*([^\|]+)"), 4)
| alter
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
operation_id = arrayindex(regextract(event_payload, "opId=([\w\-]+)"), 0),
session_id = arrayindex(regextract(event_payload, "sessionId=([\w\-]+)"), 0)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.session_id = session_id,
xdm.session_context_id = operation_id,
xdm.source.application.name = coalesce(app_component, module),
xdm.source.process.pid = pid,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// wcpsvc
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "wcpsvc" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "\S+\s+(\w+)"), 0)),
module = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+(\w+)"), 0),
module_id = arrayindex(regextract(syslog_msg, "\w+\s+\[([^\]]+)\]"), 0),
operation_id = arrayindex(regextract(syslog_msg, "opId=([\w\-]+)"), 0),
target_hosts = regextract(syslog_msg, "Hostname:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),
target_port = to_integer(arrayindex(regextract(syslog_msg, "Port:(\d+)"), 0))
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.session_context_id = operation_id,
xdm.source.application.name = coalesce(module, module_id),
xdm.source.process.identifier = module_id,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.port = target_port,
xdm.target.host.ipv4_addresses = target_hosts;
// ui-threadmonitor
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "ui-threadmonitor" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "\S+\s+\[\s*(\w+)"), 0)),
module = arrayindex(regextract(syslog_msg, "\]\s+([\w\-]+)"), 0),
application_component = arrayindex(regextract(syslog_msg, "\]\s+[\w\-]+\s+(\S+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.application.name = coalesce(application_component, module),
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// ssoadminserver
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "ssoadminserver" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
process_identifier = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+\w+\[([^\]]+)"), 0),
thread_id = to_integer(arrayindex(regextract(syslog_msg, "thread\-(\d+)\]"), 0)),
msg_severity = arrayindex(regextract(syslog_msg, "\S+\s+(\w+)"), 0),
operation_id = arrayindex(regextract(syslog_msg, "opId=([a-fA-F\-\d]+)"), 0),
app_component = arrayindex(regextract(syslog_msg, "opId=\S*\s+\[(\S+)\]"), 0),
user = replex(coalesce(arrayindex(regextract(syslog_msg, "User\s*\{Name:\s*([^,]+)"), 0),
arrayindex(regextract(syslog_msg, "SubjectNameId\s*\[value=([^\,]+)"), 0),
arrayindex(regextract(syslog_msg, "User\s+(\S+)\s+is"), 0)), "\\+", "\\"),
user_domain = coalesce(arrayindex(regextract(syslog_msg, "Domain:\s*([\w\.]+)"), 0),
arrayindex(regextract(syslog_msg, "SubjectNameId\s*\[value=[^\@]+\@([^\,]+)"), 0)),
user_role = regextract(syslog_msg, "role\s+\'([^\']+)")
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain_from_user = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.thread_id = thread_id,
xdm.source.application.name = coalesce(app_component),
xdm.session_context_id = operation_id,
xdm.source.process.identifier = process_identifier,
xdm.source.process.name = event_type,
xdm.source.user.username = user_name,
xdm.source.user.domain = if(user_domain != null, user_domain, user_domain_from_user),
xdm.source.user.groups = user_role,
xdm.source.host.hostname = syslog_hostname;
// ui-main
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "ui-main" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = arrayindex(regextract(syslog_msg, "\S+\s+\[\s*(\w+)\s*\]"), 0),
module_identifier = arrayindex(regextract(syslog_msg, "\S+\s+\[\s*\w+\s*\]\s+(\S+)"), 0),
event_payload = arrayindex(regextract(syslog_msg, "\S+\s+\[\s*\w+\s*\]\s+\S+\s+(.+)"), 0)
| alter
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
session_id = coalesce(arrayindex(regextract(event_payload, "\S+\s+(\d+)\s+\S+\s+\S+"), 0),
arrayindex(regextract(event_payload, "session\s+(\d+)"), 0),
arrayindex(regextract(event_payload, "session\s+id:\s*(\d+)"), 0),
arrayindex(regextract(event_payload, "sessionId\s*(\d+)"), 0)),
ms = to_integer(arrayindex(regextract(event_payload, "(\d+)\s+ms"), 0)),
application_component = coalesce(arrayindex(regextract(event_payload, "\S+\s+\S+\s+\S+\s+(\w+\.\w+\S+)"), 0),
arrayindex(regextract(event_payload, "(\w+\.\w+\S+)"), 0))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.duration = ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.session_id = session_id,
xdm.source.application.name = application_component,
xdm.source.process.identifier = module_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// procstate
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "procstate" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter // since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// content-library
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "content-library" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
internal_header_fields = regextract(syslog_msg, "\|\s*(\S+)"),
event_payload = arrayindex(regextract(syslog_msg, "\|\s*([^\|]+)"), 4)
| alter
msg_severity = arrayindex(internal_header_fields, 0),
operation_id = arrayindex(internal_header_fields, 1),
thread_identifier = arrayindex(internal_header_fields, 2),
module = arrayindex(internal_header_fields, 3)
| alter
http_method = arrayindex(regextract(event_payload, "method:\s*(\S+)"), 0),
url = arrayindex(regextract(event_payload, "url:\s*(\S+)"), 0),
target_service = arrayindex(regextract(event_payload, "service\s+\'([^\']+)"), 0),
operation = arrayindex(regextract(event_payload, "operation\s+\'([^\']+)"), 0),
wsdl_name = arrayindex(regextract(event_payload, "wsdlName=(\S+)"), 0),
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.operation_sub_type = operation,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.url = url,
xdm.source.application.name = module,
xdm.session_context_id = operation_id,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.value = coalesce(target_service, wsdl_name),
xdm.target.resource.type = if(target_service != null, "Service Name", wsdl_name != null, "WSDL Name");
// vpxd-svcs-access
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vpxd-svcs-access" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
event_payload = arrayindex(regextract(syslog_msg, "\S+\s+(.+)"), 0),
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
thread_identifier = arrayindex(regextract(event_payload, "\S+\s+\S+\s+(\S+)"), 0),
http_response_code = arrayindex(regextract(event_payload, "\S+\s+\S+\s+\S+\s+(\d+)"), 0),
user_agent = arrayindex(regextract(event_payload, "\d{3}\s+\"([^\"]+)"), 0),
http_method = arrayindex(regextract(event_payload, "\"\s+(\w+)"), 0),
uri = arrayindex(regextract(event_payload, "\"\s+\w+\s+(\S+)"), 0),
http_version = arrayindex(regextract(event_payload, "\/\S+\s+(HTTP\S+)"), 0)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.network.http.url = uri,
xdm.network.application_protocol = http_version,
xdm.source.user_agent = user_agent,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.value = uri;
// sso-tomcat & lookupsvc-localhost_access events
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type in ("sso-tomcat", "lookupsvc-localhost_access") and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
event_payload = arrayindex(regextract(syslog_msg, "\[[^\]]+\]\s+(.+)"), 0),
http_request_line = regextract(arrayindex(regextract(syslog_msg, "HTTP\S+\s+\w+\s+\/\S+"), 0), "(\S+)")
| alter
thread_identifier = arrayindex(regextract(event_payload, "(\S+)"), 0),
user_agent = arrayindex(regextract(event_payload, "Request\]\s+\"([^\"]+)"), 0),
client_ip = coalesce(arrayindex(regextract(event_payload, "Request\]\s+(\S+):\d{1,5}"), 0),
arrayindex(regextract(event_payload, "Request\]\s+\"[^\"]+\"\s+[^\/]+\/(\S+):\d{1,5}"), 0)),
client_port = coalesce(arrayindex(regextract(event_payload, "Request\]\s+\S+:(\d{1,5})"), 0),
arrayindex(regextract(event_payload, "Request\]\s+\"[^\"]+\"\s+[^\/]+\/\S+:(\d{1,5})"), 0)),
server_ip = arrayindex(regextract(event_payload, "\"\s+(\d+[^\/]+)[^\:]+\:\d{1,5}"), 0),
server_port = to_integer(arrayindex(regextract(event_payload, "to\s+local\s+(\d{1,5})"), 0)),
http_version = arrayindex(http_request_line, 0),
http_method = arrayindex(http_request_line, 1),
uri = arrayindex(http_request_line, 2),
bytes = to_number(arrayindex(regextract(event_payload, "(\d+)\s+bytes"), 0)),
http_response_code = arrayindex(regextract(event_payload, "Response\]\s+(\d+)"), 0),
process_duration_ms = to_integer(arrayindex(regextract(event_payload, "(\d+)ms"), 0))
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.duration = process_duration_ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.network.http.url = uri,
xdm.network.application_protocol = http_version,
xdm.source.ipv4 = client_ip,
xdm.source.port = to_integer(client_port),
xdm.source.user_agent = user_agent,
xdm.source.sent_bytes = bytes,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.value = uri,
xdm.target.ipv4 = server_ip,
xdm.target.port = server_port;
// vmon
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vmon" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
event_payload = arrayindex(regextract(syslog_msg, "\S+\s+(.+)"), 0),
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
host_id = arrayindex(regextract(event_payload, "(host-\w+)"), 0),
service = arrayindex(regextract(event_payload, "ֿ\s+\<([\w\-]+)"), 0),
user = replex(arrayindex(regextract(event_payload, "as user (\S+)"), 0), "\\+", "\\"),
command = coalesce(arrayindex(regextract(syslog_msg, "Constructed command:\s*(.+)"), 0),
arrayindex(regextract(syslog_msg, "Running\s+the\s+(.+)\s+command"), 0)),
state = arrayindex(regextract(event_payload, "State (\w+)"), 0),
op = arrayindex(regextract(event_payload, "service\s+batch\s+op\s+(\w+)"), 0)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.operation_sub_type = op,
xdm.event.outcome = state,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.host.device_id = host_id,
xdm.source.process.command_line = command,
xdm.source.application.name = service,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// rhttpproxy-main
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "rhttpproxy-main" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.pid = pid,
xdm.source.application.name = sub_module,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// sudo
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "sudo" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
user = replex(coalesce(arrayindex(regextract(syslog_msg, "USER=([^\s\(]+)"), 0),
arrayindex(regextract(syslog_msg, "for\s+user\s+([^\s\(]+)"), 0)), "\\+", "\\"),
uid = arrayindex(regextract(syslog_msg, "uid=(\d+)"), 0),
command = arrayindex(regextract(syslog_msg, "COMMAND=(\S+)"), 0),
working_directory = arrayindex(regextract(syslog_msg, "PWD=(\S+)"), 0),
process = rtrim(arrayindex(regextract(syslog_msg, "(\S+)"), 0), ":"),
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.user.identifier = uid,
xdm.source.process.command_line = command,
xdm.source.process.executable.directory = working_directory,
xdm.source.process.name = coalesce(process, event_type),
xdm.source.host.hostname = syslog_hostname;
// sca-vmon.std
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "sca-vmon.std" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = arrayindex(regextract(syslog_msg, "(\w+):\s+"), 0),
module = arrayindex(regextract(syslog_msg, "\w+:\s+(\w+):"), 0),
event_payload = coalesce(arrayindex(regextract(syslog_msg, "\w+:\s+\w+:\s+(.+)"), 0),
arrayindex(regextract(syslog_msg, "\w{3}\s+\d{1,2},\s+\d{4}\s+\S+\s+[AP]M\s+(.+)"), 0),
syslog_msg)
| alter
user = replex(arrayindex(regextract(event_payload, "\'([^\']+)\'\s+on\ssession"), 0), "\\+", "\\"),
session_id = arrayindex(regextract(event_payload, "on\ssession\s+([a-fA-F\d\-]+)"), 0),
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.outcome = if(event_payload contains "Successfully", XDM_CONST.OUTCOME_SUCCESS),
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.session_id = session_id,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.application.name = module,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// applmgmt
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "applmgmt" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
pid = to_integer(arrayindex(regextract(syslog_msg, "\[(\d+)\]"), 0)),
msg_severity = arrayindex(regextract(syslog_msg, "\[\d+\]\s*(\w+)\:"), 0),
event_payload = arrayindex(regextract(syslog_msg, "\[\d+\]\s*\w+\:(.+)"), 0)
| alter
user = replex(arrayindex(regextract(event_payload, "User=([^,]+)"), 0), "\\+", "\\"),
groups = arrayfilter(regextract(arrayindex(regextract(event_payload, "groups=\{([^\}]+\})"), 0), "\'([^\']+)"), len("@element") > 2),
file = arrayindex(regextract(event_payload, "file\s+(\/\S+)"), 0),
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.user.groups = groups,
xdm.source.process.name = event_type,
xdm.source.process.pid = pid,
xdm.source.host.hostname = syslog_hostname,
xdm.target.file.filename = file;
// vstats
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vstats" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
event_payload = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+\S+\s+(.+)"), 0),
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
resource_name = arrayindex(regextract(event_payload, "\{\"([^\"]+)"), 0),
resource_value = arrayindex(regextract(event_payload, "\{\"[^\"]+\"\:\s*\"([^\"]+)"), 0)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.name = resource_name,
xdm.target.resource.value = resource_value;
// vmafdd
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vmafdd" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
process_name = arrayindex(regextract(syslog_msg, "\[([^\]]+)"), 0),
msg_severity = arrayindex(regextract(syslog_msg, "\]\[(\w+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = coalesce(process_name, event_type),
xdm.source.host.hostname = syslog_hostname;
// certificatemanagement-svcs
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "certificatemanagement-svcs" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
process_identifier = arrayindex(regextract(syslog_msg, "\w+\s+\[(\S+)"), 0),
thread_id = to_integer(arrayindex(regextract(syslog_msg, "pool\-\d+\-thread\-(\d+)"), 0)),
msg_severity = arrayindex(regextract(syslog_msg, "(\w+)\s+\S+\s+opId="), 0),
app_component = arrayindex(regextract(syslog_msg, "\w+\s+(\S+)\s+opId="), 0),
operation_id = arrayindex(regextract(syslog_msg, "opId=([^\]]+)"), 0),
operation = arrayindex(regextract(syslog_msg, "Operation (\S+) took"), 0),
ms = to_integer(arrayindex(regextract(syslog_msg, "took\s+(\d+)\s+ms"), 0))
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.operation_sub_type = operation,
xdm.event.duration = ms,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.session_context_id = operation_id,
xdm.source.application.name = app_component,
xdm.source.process.thread_id = thread_id,
xdm.source.process.identifier = process_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// cis-license
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "cis-license" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
thread_id = to_integer(arrayindex(regextract(syslog_msg, "\S+\s+(\S+)"), 0)),
msg_severity = coalesce(arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+(\w+)\s+"), 0),
arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+\S+\s+(\w+)\s+"), 0)),
app_component = coalesce(arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+\w+\s+(\w+\.\S+)"), 0),
arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+\S+\s+\w+\s+(\w+\.\S+)"), 0)),
operation_id = arrayindex(regextract(syslog_msg, "operationID=(\S+)"), 0),
user = replex(arrayindex(regextract(syslog_msg, "User\s+\'([^\']+)"), 0), "\\+", "\\")
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.session_context_id = operation_id,
xdm.source.application.name = app_component,
xdm.source.process.thread_id = thread_id,
xdm.source.process.name = event_type,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.host.hostname = syslog_hostname;
// vdtc-main
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vdtc-main" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.application.name = sub_module,
xdm.source.process.pid = pid,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname;
// applmgmt-audit
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "applmgmt-audit" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = arrayindex(regextract(syslog_msg, "\S+\s+(\w+)"), 0),
event_payload = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+(.+)"), 0)
| alter
user = replex(coalesce(arrayindex(regextract(event_payload, "User=([^,]+)"), 0),
rtrim(arrayindex(regextract(event_payload, "user\s*:\s*(\S+)"), 0), ".")), "\\+", "\\"),
auth_method = arrayindex(regextract(event_payload, "method=(\w+)"), 0),
status = arrayindex(regextract(event_payload, "Status\s*:\s*(\w+)"), 0),
is_authorized = arrayindex(regextract(event_payload, "authorized=(\w+)"), 0),
privileges = regextract(event_payload, "priv=(\w+)"),
service_id = arrayindex(regextract(event_payload, "service_id:\s*([\w\.]+)"), 0),
operation_id = arrayindex(regextract(event_payload, "operation_id:\s*([\w\.]+)"), 0),
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.auth.auth_method = auth_method,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.outcome = if(status = "Success" or is_authorized = "True", XDM_CONST.OUTCOME_SUCCESS, is_authorized = "False", XDM_CONST.OUTCOME_FAILED, status),
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.session_context_id = operation_id,
xdm.source.process.name = event_type,
xdm.intermediate.process.identifier = service_id,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.user.groups = privileges,
xdm.source.host.hostname = syslog_hostname;
// vapi-endpoint-access
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vapi-endpoint-access" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
thread_identifier = arrayindex(regextract(syslog_msg, "\|\s*(\S+)"), 0),
event_payload = arrayindex(regextract(syslog_msg, "\|\s*[^\|]+\s+\|\s*(.+)"), 0),
http_request_line = regextract(arrayindex(regextract(syslog_msg, "\"(\w+\s+\/\S+\s+HTTP\S[^\"]+)"), 0), "(\S+)")
| alter
http_method = arrayindex(http_request_line, 0),
uri = arrayindex(http_request_line, 1),
http_version = arrayindex(http_request_line, 2),
http_response_code = arrayindex(regextract(event_payload, "\"\s+(\d+)\s+\d+"), 0),
bytes = to_integer(arrayindex(regextract(event_payload, "\"\s+\d+\s+(\d+)"), 0)),
user_agent = arrayindex(regextract(event_payload, "\"\s+\"([^\"]+)\"\s+\d+"), 0),
session_id = arrayindex(regextract(event_payload, "id\s+([a-fA-F\d\-]+)"), 0),
service = arrayindex(regextract(event_payload, "service\s+([\w\.]+)"), 0)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.network.session_id = session_id,
xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
xdm.network.http.url = uri,
xdm.network.application_protocol = http_version,
xdm.source.user_agent = user_agent,
xdm.source.sent_bytes = bytes,
xdm.source.process.identifier = thread_identifier,
xdm.source.process.name = event_type,
xdm.source.host.hostname = syslog_hostname,
xdm.target.resource.value = uri,
xdm.target.application.name = service;
// crond
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "crond" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
// since the log does not include an explicit severity, extract it from the syslog header priority field
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
user = replex(arrayindex(regextract(syslog_msg, "\(([^\)]+)"), 0), "\\+", "\\"),
command = arrayindex(regextract(syslog_msg, "CMD\s+\(\s*([^\)]+)"), 0)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = event_type,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.process.command_line = command,
xdm.source.host.hostname = syslog_hostname;
//vpxd
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vpxd" and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(?:\[[^\]]+\]\s){4}\[([^\]]+)\]"), 0)),
user = replex(coalesce(
arrayindex(regextract(syslog_msg, "(?:\[[^\]]+\]\s){5}\[([^\]]+)\]"), 0),
arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[.*?login has failed for\s*\'\$?\{*([^@]+)"), 0)
), "\\+", "\\"),
ip = trim(coalesce(arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[.*?\sfrom\s(\S+)\s"), 0),
arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[[^\]]*@([^@\s\]\']+)"), 0)), ":")
| alter
// map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
source_ip4 = if(ip ~= "(?:\d{1,3}\.){3}\d{1,3}", ip, null),
source_ip6 = if(ip ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", ip, null),
outcome = arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[([^\]]*)"), 0)
// User field manipulations
| alter
user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
xdm.alert.severity = severity,
xdm.event.type = event_type,
xdm.event.outcome = if(lowercase(outcome) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(outcome) contains "cannot", XDM_CONST.OUTCOME_FAILED, lowercase(outcome) contains "success", XDM_CONST.OUTCOME_SUCCESS, null),
xdm.event.outcome_reason = outcome,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = event_type,
xdm.source.user.username = user_name,
xdm.source.user.domain = user_domain,
xdm.source.host.hostname = syslog_hostname,
xdm.source.ipv4 = source_ip4,
xdm.source.ipv6 = source_ip6,
xdm.source.user_agent = arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[.*?\suser agent:\s([^\)]+)"), 0);
// general fallback mapping for all other event types which are currently not mapped explicitly
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type NOT IN ("analytics", "applmgmt", "applmgmt-audit", "certificatemanagement-svcs", "cis-license", "content-library", "crond", "dnsmasq", "eam-access", "eam-api", "envoy-access", "lookupsvc-localhost_access", "procstate", "rhttpproxy-main", "sca-vmon.std", "sps", "sso-tomcat", "ssoadminserver", "StatsMonitor", "sudo", "trustmanagement-gc", "trustmanagement-svcs", "ui-main", "ui-threadmonitor", "vapi-endpoint-access", "vdtc-main", "vmafdd", "vmon", "vpxd-main", "vpxd-svcs-access", "vpxd-svcs-perf", "vsan-health-main", "vstats", "vum-vmacore", "vum-vmacore", "wcpsvc", "vpxd") and not is_virtualization
| alter
syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
operation_id = arrayindex(regextract(syslog_msg, "opI[dD]=([\w\-]+)"), 0),
severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
username = replex(coalesce(arrayindex(regextract(syslog_msg, "USER=([^\S\(]+)"), 0),
arrayindex(regextract(syslog_msg, "for\s+user\s+\[?([^\s\]]+)"), 0),
arrayindex(regextract(_raw_log, "User\s\'*([^\@]+)\@"),0),
arrayindex(regextract(syslog_msg, "for\suser[\s:]+\{Name:\s*([^,]+)"), 0),
arrayindex(regextract(_raw_log, "Username=\'([^\']+)\'"),0)), "\\+", "\\"),
user_domain = arrayindex(regextract(syslog_msg, "for\suser[\s:]+\{Name:\s*[^,]+,\sDomain:\s*([^\}]+)"), 0)
// User field manipulations
| alter
user_name = if(username contains """\\""", arrayindex(regextract(arrayindex(split(username, """\\"""), -1), "([^@]+)@?"), 0), username contains "@", arrayindex(split(username, "@"), 0), username),
user_domain_from_username = if(username contains """\\""", arrayindex(split(username, """\\"""), 0), username contains "@", arrayindex(split(username, "@"), -1), null)
| alter
xdm.event.type = event_type,
xdm.event.description = syslog_msg,
xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
xdm.source.process.name = event_type,
xdm.source.user.username = user_name,
xdm.source.user.domain = if(user_domain != null, user_domain, user_domain_from_username),
xdm.session_context_id = operation_id,
xdm.source.host.hostname = syslog_hostname;