VMware Vcenter 2.9 Modeling Rule

Modeling Rule

VMware vCenter

Details

IDVMware_Vcenter_2_9_ModelingRule
From Version8.13.0
TagsVMware vCenter

Rules (XIF)

// Virtualization Story Login format classification rule
// Event type = 3
// Returns the login format: SSO or Session
[RULE: vmware_vcenter_login_format]
alter
	xdm.event.type = "Login"
| alter 
	is_sso_login = if(_raw_log ~= "vmware.sso.Login"),
	is_session = if(event_type_name in ("vim.event.BadUsernameSessionEvent", "vim.event.UserLoginSessionEvent"));

// Virtualization Story Login Session fomrat field mapping
// Event type = 3
[RULE: vmware_vcenter_login_format_session_event]
alter
    description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
    username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
    target_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6),
    event_id = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 0),
    event_type_name = arrayindex(regextract(syslog_msg, "\[([\.a-zA-Z]+)\]"), 0)
| alter
	target_ip = arrayindex(regextract(description, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
	user_agent = arrayindex(regextract(description, "logged in as (.*)"), 0)
| alter 
    xdm.observer.name = syslog_hostname,
	xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
	xdm.event.description = syslog_msg,
	xdm.event.original_event_type = event_type_name,
	xdm.event.outcome_reason = description,
	xdm.event.outcome = if(description ~= "response code 200", XDM_CONST.OUTCOME_SUCCESS, 
						   description ~= "Cannot login", XDM_CONST.OUTCOME_FAILED),
	xdm.source.user.username = username,
	xdm.source.ipv4 = if(is_ipv4(target_ip), target_ip),
	xdm.source.host.ipv4_public_addresses = if(
        target_ip = null, null,
        incidr(target_ip, "10.0.0.0/8"), null,
        incidr(target_ip, "192.168.0.0/16"), null,
        incidr(target_ip, "172.16.0.0/12"), null, arraycreate(target_ip)),
	xdm.source.user_agent = user_agent,
    xdm.target.virtualization.vm.hostname = target_hostname;

// Virtualization Story Login SSO fomrat field mapping
// Event type = 3
[RULE: vmware_vcenter_login_format_sso_login]
alter
    event_type_name = arrayindex(regextract(syslog_msg, "type\":\"([^\"]+)"), 0),
    description = arrayindex(regextract(syslog_msg, "description\":\"([^\"]+)"), 0),
    username = arrayindex(regextract(syslog_msg, "user\":\"([^\"]+)"), 0),
    target_ip = arrayindex(regextract(syslog_msg, "client\":\"([^\"]+)"), 0),
    response_code = arrayindex(regextract(syslog_msg, "response code (\d{1,3})"), 0),
    auth_method = arrayindex(regextract(_raw_log, "^\S+\s+\S+\s+\S+\s+([^\s]+)"), 0)
| alter
	xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
	xdm.observer.name = syslog_hostname,
	xdm.event.description = syslog_msg,
	xdm.event.original_event_type = event_type_name,
	xdm.event.outcome_reason = description,
	xdm.event.outcome = if(event_type_name ~= "Success", XDM_CONST.OUTCOME_SUCCESS,
						   event_type_name ~= "Fail", XDM_CONST.OUTCOME_FAILED), 
	xdm.target.user.username = if (username ~= "@", arrayindex(regextract(username, "([^\@]+)"), 0), username),
	xdm.target.ipv4 = if(is_ipv4(target_ip), target_ip),
	xdm.target.user.upn = if(username ~= "@", username),
	xdm.target.user.domain = if(username ~= "@", arrayindex(regextract(username, "@([^\s]+)"), 0)),
	xdm.auth.auth_method = auth_method,
	xdm.network.http.response_code = if(response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, response_code);

// Virtualization Story Account Operations fomrat field mapping
// Event type = 7
[RULE: vmware_vcenter_account_operations_format]
alter
    process_id = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+\S+\s+([^\s]+)"), 0),
    process_name = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+([^\s]+)"), 0),
    source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6),
    description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
    source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5)
| alter
    vm_name = if(description ~= "^Permission rule\s+\S+\s+\S+\s+\S+\s+\S+\s+", arrayindex(regextract(description, "^Permission rule\s+\S+\s+\S+\s+\S+\s+\S+\s+([^\s]+)"), 0), // Extract vm_name from raw start with permission rule
                 description ~= "^Permission\s+\S+\s+\S+\s+\S+\s+\S+\s+", arrayindex(regextract(description, "^Permission\s+\S+\s+\S+\s+\S+\s+\S+\s+([^\s|,|.]+)"), 0)), // Extract vm_name from raw start with permission created or changed
    target_hostname = if(description ~= "on host", arrayindex(regextract(description, "\s+on host\s+([^\s+|\]]+)"), 0), // Extract target host from raw related to account activity
                         description ~= "on" and description ~= "^Permission", arrayindex(regextract(description, "\s+on\s+([^\s+|,]+)"), 0)), // Extract target host from raw related to permission activity
    target_username = if(description ~= "^Account", arrayindex(regextract(description, "^Account ([^\s]+)"), 0), // Extract user from raw related to account activity
                         description ~= "^Permission", arrayindex(regextract(description, "for ([^\s]+)"), 0)) // Extract user from raw related to permission activity
| alter
	xdm.observer.name = syslog_hostname, 
	xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
	xdm.event.description = syslog_msg,
    xdm.event.type = "Account Operations",
    xdm.event.original_event_type = event_type_name,
    xdm.event.outcome_reason = description,
	xdm.event.outcome = if(description !~= "Fail", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.operation = if(event_type_name in ("vim.event.AccountCreatedEvent", "vim.event.PermissionAddedEvent"), XDM_CONST.OPERATION_TYPE_CREATE,
                             event_type_name ~= "Removed", XDM_CONST.OPERATION_TYPE_DELETE,
                             event_type_name ~= "Updated", XDM_CONST.OPERATION_TYPE_UPDATE),
    xdm.source.virtualization.vm.hostname = vm_name,
	xdm.source.virtualization.data_center.name = source_hostname,
	xdm.source.user.username = source_username,
    xdm.target.process.identifier = process_id,
	xdm.target.process.name = process_name,
    xdm.target.host.hostname = target_hostname,
    xdm.target.user.username = target_username;

// Virtualization Story File/Datastore Event fomrat field mapping
// Event type = 8
[RULE: vmware_vcenter_file_or_datastore_format]
alter
    description = if(syslog_msg ~= "Deletion of file or directory", arrayindex(regextract(syslog_msg, "\[((?:[^\[\]]|\[[^\[\]]*\])*)\]"), 8),
                     arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8)),
    source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5)
| alter
    source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6),
    target_hypervisor_hostname = arrayindex(regextract(description, "on ([^\s]+) in"), 0),
    target_hostname = arrayindex(regextract(description, "from ([^\s]+) was initiated"), 0),
    datastore_name = coalesce(arrayindex(regextract(description, "Created VMFS datastore ([^\s]+)"), 0),
        					  arrayindex(regextract(description, "Discovered datastore ([^\s]+) on"), 0),
     					      arrayindex(regextract(description, "\[([^\]]+)\]"), 0)), // Extract datastore name from brackets [%datastore%]
    datastore_uuid = arrayindex(regextract(description, "\((ds:\/\/[^\)]+)\)"), 0),
    file_path = arrayindex(regextract(description, "\]\s+(.*?)\s+from"), 0),
    initiator_str = arrayindex(regextract(description, "initiated from '([^\']+)"), 0),
    outcome_str = arrayindex(regextract(description, "completed with status ([^\s]+)"), 0),
    action = arrayindex(regextract(description, "with status '([^\']+)"), 0)
| alter
    xdm.observer.name = syslog_hostname,
    xdm.event.type = "File/Datastore Event",
    xdm.event.description = syslog_msg,
    xdm.event.original_event_type = event_type_name,
    xdm.event.outcome_reason = description,
    xdm.event.operation_sub_type = action,
    xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
    xdm.event.outcome = if(description contains "Fail" or outcome_str = "failure", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.operation = if(
        description contains "Created", XDM_CONST.OPERATION_TYPE_CREATE,
        description contains "Discovered", XDM_CONST.OPERATION_TYPE_READ,
        description contains "Deletion", XDM_CONST.OPERATION_TYPE_DELETE),
    xdm.source.virtualization.data_center.name = source_hostname,
    xdm.source.user.username = source_username,
    xdm.source.user_agent = arrayindex(split(initiator_str, "@"), 0),
    xdm.source.ipv4 = if(is_ipv4(arrayindex(split(initiator_str, "@"), 1)), arrayindex(split(initiator_str, "@"), 1), null),
    xdm.target.virtualization.data_center.name = target_hostname,
    xdm.target.virtualization.data_store.name = datastore_name,
    xdm.target.virtualization.data_store.uuid = datastore_uuid,
    xdm.target.host.hostname = target_hypervisor_hostname,
    xdm.target.file.path = file_path,
    xdm.target.file.filename = arrayindex(split(file_path , "/"), 1);

// Virtualization Story VM Operations fomrat field mapping
// Event type = 9
[RULE: vmware_vcenter_vm_operation_format]
alter
    description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
    source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
    source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
    vm_name = if(description ~= "^Creating", arrayindex(regextract(description, "^Creating ([^\s]+)"), 0), // Extract vm name from raw related to Creating activity
                 description ~= "^Guest OS", arrayindex(regextract(description, "^Guest OS (?:reboot|shut down) for ([^\s]+) on"), 0), // Extract vm name from raw related to Guest OS activity
                 description ~= "^Virtual machine ", arrayindex(regextract(description, "^Virtual machine ([^\s]+)"), 0), // Extract vm name from raw start with Virtual Machine 
                 description ~= " cloned to", coalesce(arrayindex(regextract(description, "(.+?) cloned to"), 0), arrayindex(regextract(description, "([^\s]+) cloned to"), 0)), // Extract vm name from raw related to cloned to activity (space-aware extraction added, original kept as fallback)
                 description ~= "^Created virtual machine ", coalesce(arrayindex(regextract(description, "^Created virtual machine (.+?) on"), 0), arrayindex(regextract(description, "^Created virtual machine ([^\s]+) on"), 0)), // Extract vm name from raw related to VM created (space-aware extraction added, original kept as fallback)
                 description ~= "^Template ", arrayindex(regextract(description, "^Template (.+?)\s"), 0), // Extract vm name from raw start with Template
                 description ~= "^Removed ", coalesce(arrayindex(regextract(description, "^Removed\s(.+?)\s+on\s"), 0), arrayindex(regextract(description, "^Removed\s([^\s]+)"), 0)), // Extract vm name from raw start with Removed (space-aware extraction added, original kept as fallback)
                 description ~= "^Registered ", arrayindex(regextract(description, "^Registered\s([^\s]+)"), 0), // Extract vm name from raw start with Registered
                 description ~= "^Renamed ", coalesce(arrayindex(regextract(description, "^Renamed\s(.+?)\s+from\s"), 0), arrayindex(regextract(description, "^Renamed\s([^\s]+)"), 0)), // Extract vm name from raw start with Renamed (space-aware extraction added, original kept as fallback)
                 description ~= "^Reconfigured ", coalesce(arrayindex(regextract(description, "Reconfigured (.+?) on\s"), 0), arrayindex(regextract(description, "Reconfigured ([^\s]+)"), 0)), // Extract vm name from raw start with Reconfigured (space-aware extraction added, original kept as fallback)
                 description ~= "^\S+\s+\-", arrayindex(regextract(description, "^([^\s]+) - "), 0), //Extract vm name from the start of the string (before " - ")
                 description ~= "^\S+\s+on", coalesce(arrayindex(regextract(description, "^(.+?) on \S+\s+in "), 0), arrayindex(regextract(description, "^([^\s]+) on \S+\s+in "), 0))), //Extract vm name from the start of the string (before " on ") (space-aware extraction added, original kept as fallback)
    target_vm_name = coalesce(arrayindex(regextract(description, "cloned to (.+?) on"), 0), arrayindex(regextract(description, "cloned to ([^\s]+) on"), 0)),
    target_hostname = if(description ~= "^Removed", arrayindex(regextract(description, "Removed\s+\S+\s+on\s+([^\s]+)"), 0), // Extract target host from raw start with Removed
                         description ~= "^Guest OS", arrayindex(regextract(description, "on\s+([^\s]+)\s+in"), 0), // Extract target host from raw start with Guest OS                     
                         arrayindex(regextract(description, " to ([^\s]+),"), 0)),
    target_datacenter = coalesce(arrayindex(regextract(description, ",\s+\S+\s+in ([^\s]+)$"), 0), arrayindex(regextract(description, "\sin\s+(.+?)\.?$"), 0)),
    original_esxi_name = if(description ~= "relocated from\s+\S+", arrayindex(regextract(description, "relocated from\s+([^\,]+)"), 0),
                            description ~= "Creating ([^\s]+) on", arrayindex(regextract(description, "Creating ([^\s]+) on"), 0)),
    datastore_name =  if(description ~= "\S+\,\s+\S+\s+in", arrayindex(regextract(description, "\S+\,\s+([^\s]+)\s+in"), 0)),
    target_datastore_name = if(description ~= "\s+to\s+\S+\,\s+\S+\s+in", arrayindex(regextract(description, "\s+to\s+\S+\,\s+([^\s]+)"), 0)),
    old_vm_name = if(description ~= "from\s+\S+\s+to", coalesce(arrayindex(regextract(description, "from\s+(.+?)\s+to\s"), 0), arrayindex(regextract(description, "from\s+([^\s]+)\s+to"), 0))), // Extract old vm name from event start with Renamed (space-aware extraction added, original kept as fallback)
    new_vm_name = if(description ~= "deployed to", arrayindex(regextract(description, "deployed to ([^\s]+)"), 0), // Extract new vm name from event start with Template
                     description ~= "from\s.+\sto\s+.+\s+in\s", arrayindex(regextract(description, "\sto\s+(.+?)\s+in\s"), 0), // Extract new vm name from Renamed event when names contain spaces (added for CRTX-243601)
                     description ~= "from\s\S+\sto\s+\S+\s+in\s", coalesce(arrayindex(regextract(description, "\sto\s+(.+?)\s+in\s"), 0), arrayindex(regextract(description, "from\s\S+\sto\s+([^\s]+)"), 0))) // Extract new vm name from event start with Renamed (space-aware extraction added, original kept as fallback)
| alter
    xdm.observer.name = syslog_hostname,
    xdm.event.type = "VM Operations",
    xdm.event.description = syslog_msg,
    xdm.event.original_event_type = event_type_name,
    xdm.event.outcome_reason = description,
    xdm.event.outcome = if(description contains "Fail", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
    xdm.event.operation = if(event_type_name in ("vim.event.VmCreatedEvent", "*VM Created*", "vim.event.VmClonedEvent", "*VM Cloned*"), XDM_CONST.OPERATION_TYPE_CREATE,
                             event_type_name in ("vim.event.VmPoweredOnEvent", "*VM Power On*", "vim.event.VmPoweredOffEvent", "*VM Power Off*", "vim.event.VmGuestRebootEvent", "*Guest OS VM Reboot*", "vim.event.VmGuestShutdownEvent", "*Guest OS VM Shutdown*", "vim.event.VmMigratedEvent", "*VM Migrated*", "vim.event.VmResettingEvent", "*VM Resetting*", "vim.event.VmSuspendedEvent", "*VM Suspended*"), XDM_CONST.OPERATION_TYPE_STATUS_CHANGE,
                             event_type_name = "vim.event.VmRemovedEvent", XDM_CONST.OPERATION_TYPE_DELETE,
                             event_type_name in ("vim.event.VmRegisteredEvent","vim.event.VmDeployedEvent", "vim.event.VmReconfiguredEvent", "vim.event.VmRelocatedEvent"), XDM_CONST.OPERATION_TYPE_CONFIG_CHANGE,
                             event_type_name = "vim.event.VmRenamedEvent", XDM_CONST.OPERATION_TYPE_UPDATE),
    xdm.source.user.username = source_username,
    xdm.source.host.hostname = original_esxi_name,
    xdm.target.host.hostname = target_hostname,
    xdm.target.resource_before.name = old_vm_name,
    xdm.target.resource.name = new_vm_name,
    xdm.source.virtualization.data_center.name = source_hostname,
    xdm.target.virtualization.data_center.name = target_datacenter,  
    xdm.source.virtualization.data_store.name = datastore_name,
    xdm.target.virtualization.data_store.name = target_datastore_name,
    xdm.source.virtualization.vm.hostname = coalesce(vm_name, old_vm_name),
    xdm.target.virtualization.vm.hostname = coalesce(target_vm_name, new_vm_name, if(event_type_name = "vim.event.VmReconfiguredEvent", vm_name));

// Virtualization Story vSphere Task Event fomrat field mapping
// Event type = 10
[RULE: vmware_vcenter_vsphere_task_format]
alter
    description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
    source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
    source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
    xdm.observer.name = syslog_hostname,
    xdm.event.type = "vSphere Task Event",
    xdm.event.description = syslog_msg,
    xdm.event.original_event_type = event_type_name,
    xdm.event.outcome_reason = description,
    xdm.event.outcome = if(description contains "Fail", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_CREATE,
    xdm.source.virtualization.data_center.name = source_hostname,
    xdm.source.user.username = source_username;

// Virtualization Story Host Events fomrat field mapping
// Event type = 11
[RULE: vmware_vcenter_host_event_format]
alter
    description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
    source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
    source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
    target_hostname = coalesce(
        arrayindex(regextract(description, "Host ([^\s]+) in"), 0),
        arrayindex(regextract(description, "Connected to ([^\s]+) in"), 0),
        arrayindex(regextract(description, "Disconnected from ([^\s]+) in"), 0),
        arrayindex(regextract(description, "Added ([^\s]+) to"), 0),
        arrayindex(regextract(description, "Removed host ([^\s]+) in"), 0))
| alter
    xdm.observer.name = syslog_hostname,
    xdm.event.type = "Host Events",
    xdm.event.description = syslog_msg,
    xdm.event.original_event_type = event_type_name,
    xdm.event.operation = XDM_CONST.OPERATION_TYPE_CREATE,
    xdm.event.outcome_reason = description,
    xdm.event.outcome = if(description contains "Fail" or description contains "not responding", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
    xdm.source.virtualization.data_center.name = source_hostname,
    xdm.source.user.username = source_username,
    xdm.target.host.hostname = target_hostname;    

// Virtualization Story Scheduled Task Event fomrat field mapping
// Event type = 12
[RULE: vmware_vcenter_scheduled_task_format]
alter
    description = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 8),
    source_username = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 5),
    source_hostname = arrayindex(regextract(syslog_msg, "\[([^\]]*)\]"), 6)
| alter
    target_task_name = arrayindex(regextract(description, "Created task (.+?) on "), 0),
    vm_name = arrayindex(regextract(description, " on ([^\s]+) in datacenter"), 0)
| alter
    xdm.observer.name = syslog_hostname,
    xdm.event.type = "Scheduled Task Event",
    xdm.event.description = syslog_msg,
    xdm.event.original_event_type = event_type_name,
    xdm.event.outcome_reason = description,
    xdm.event.outcome = if(description contains "Fail", XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.operation = if(
        description contains "Created", XDM_CONST.OPERATION_TYPE_CREATE,
        description contains "Removed", XDM_CONST.OPERATION_TYPE_DELETE,
        description contains "Updated", XDM_CONST.OPERATION_TYPE_UPDATE),
    xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
    xdm.source.virtualization.data_center.name = source_hostname,
    xdm.source.user.username = source_username,
    xdm.target.virtualization.vm.hostname = vm_name,
    xdm.target.virtualization.task.name = target_task_name;

// Virtualization Story vcsa-audit fomrat field mapping
// Event types Command Execution and File/Datastore Event are mapped according to syscall_id extracted from parsed_fields
[RULE: vmware_vcenter_vcsa_audit_format]
alter
    event_name_clean = trim(parsed_fields -> type, "["),
    syscall_id = to_integer(parsed_fields -> syscall),
    pid = coalesce(parsed_fields -> pid, arrayindex(regextract(_raw_log, "(?:^| )pid=([0-9]+)"), 0)),
    ppid = parsed_fields -> ppid,
    comm = parsed_fields -> comm,
    uid = parsed_fields -> uid,
    success = parsed_fields -> success,
    res = parsed_fields -> res
| alter
    xdm.observer.name = syslog_hostname,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(to_string(syslog_priority) in ("14", "134", "*INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL),
    xdm.event.type = if(syscall_id in (59,322), "Command Execution", 
                        syscall_id in (2,3,85,22,257,292,0,1,17,18,19,20,295,296,82,87,263,264,79,83,84,86,88,89,217,258,260,266,4,5,6,9,11,21,76,90,91,92,93,133), "File/Datastore Event"),
    xdm.event.operation = if(event_name_clean = "SYSCALL", event_name_clean, XDM_CONST.OPERATION_TYPE_AUDIT),
    xdm.event.operation_sub_type = coalesce(to_string(syscall_id), event_name_clean),
    xdm.alert.name = event_name_clean,
    xdm.alert.description = parsed_fields -> msg,
    xdm.session_context_id = parsed_fields -> ses,
    xdm.event.outcome = if(success = "yes" or res = "1", XDM_CONST.OUTCOME_SUCCESS,
                           success = "no" or res = "0", XDM_CONST.OUTCOME_FAILED,
                           XDM_CONST.OUTCOME_UNKNOWN),
    xdm.event.outcome_reason = parsed_fields -> exit,
    xdm.source.process.pid = to_number(ppid),
    xdm.target.user.username = uid,
    xdm.target.user.identifier = uid,
    xdm.target.process.name = comm,
    xdm.target.process.parent_id = if(event_name_clean = "SYSCALL", null, ppid),
    xdm.target.process.executable.path = parsed_fields -> exe,
    xdm.target.process.pid = to_number(pid),
    xdm.target.process.command_line = if(event_name_clean = "SYSCALL", null, comm);

// Virtualization Story general field mapping
[RULE: vmware_vcenter_common_fields]
alter
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\d?"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d?\s?[^\s]+\d{2}:\d{2}:\d{2}[^\s]*\s+(\S+)"), 0),
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0),
    process_id = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+\S+\s+([^\s]+)"), 0),
    process_name = arrayindex(regextract(_raw_log, "^\S+\s+\S+\S+\s+\S+\s+([^\s]+)"), 0)
| alter
    xdm.event.tags = arraycreate("VIRTUALIZATION"),
	xdm.source.process.identifier = process_id,
	xdm.source.process.name = process_name,
    xdm.event.format = if(_raw_log ~= "^<\d+>1\s", "0",
                          _raw_log ~= "^<\d+>\s", "1");  

// Virtualization Story classification rule
// Return: 1. is_virtualization = true or false
//         2. vCenter Log Format
[RULE: vmware_vcenter_virtualization_classification]
alter
    event_type_name = arrayindex(regextract(_raw_log, "\[([\.a-zA-Z]+)\]"), 0)
| alter
    is_login_event = if(event_type_name in ("vim.event.BadUsernameSessionEvent", "vim.event.UserLoginSessionEvent", "vim.event.UserLogoutSessionEvent") or _raw_log ~= "vmware.sso.Login"),
    is_account_operation_event = if(event_type_name in ("vim.event.AccountCreatedEvent", "vim.event.AccountUpdatedEvent", "vim.event.PermissionAddedEvent", "vim.event.PermissionRemovedEvent", "vim.event.PermissionUpdatedEvent")),
    is_file_or_datastore_event = if(event_type_name in ("vim.event.VMFSDatastoreCreatedEvent", "vim.event.DatastoreDiscoveredEvent", "vim.event.DatastoreFileDeletedEvent")),
    is_vm_operations_event = if(event_type_name in ("vim.event.VmGuestRebootEvent", "vim.event.VmGuestShutdownEvent", "vim.event.VmMigratedEvent", "vim.event.VmBeingCreatedEvent", "vim.event.VmClonedEvent", "vim.event.VmCreatedEvent", "vim.event.VmDeployedEvent", "vim.event.VmPoweredOffEvent", "vim.event.VmPoweredOnEvent", "vim.event.VmReconfiguredEvent", "vim.event.VmRelocatedEvent", "vim.event.VmRemovedEvent", "vim.event.VmRenamedEvent", "vim.event.VmResettingEvent", "vim.event.VmSuspendedEvent", "vim.event.VmRegisteredEvent")),
    is_vsphere_task_event = if(event_type_name in ("vim.event.TaskEvent")),
    is_host_event = if(event_type_name in ("vim.event.HostConnectionLostEvent", "vim.event.HostConnectedEvent", "vim.event.HostDisconnectedEvent", "vim.event.HostAddedEvent", "vim.event.HostRemovedEvent")),
    is_scheduled_task_event = if(event_type_name in ("vim.event.ScheduledTaskCreatedEvent")),
    is_vcsa_audit = if(_raw_log ~= "vcsa-audit")
| alter
    is_virtualization = if (is_login_event
                            or is_account_operation_event  
                            or is_file_or_datastore_event 
                            or is_vm_operations_event 
                            or is_vsphere_task_event 
                            or is_host_event
                            or is_scheduled_task_event
                            or is_vcsa_audit);

// Modeling Rule
[MODEL: dataset = "vmware_vcenter_raw"]
//Virtualization Story - Format: Login Session
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| call vmware_vcenter_login_format
| filter is_session and not is_sso_login
| call vmware_vcenter_common_fields
| call vmware_vcenter_login_format_session_event;

//Virtualization Story - Format: Login SSO
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| call vmware_vcenter_login_format
| filter is_sso_login and not is_session
| call vmware_vcenter_common_fields
| call vmware_vcenter_login_format_sso_login;

//Virtualization Story - Fomrat: Account Operations
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_account_operation_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_account_operations_format;

//Virtualization Story - Fomrat: File \ Datastore
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_file_or_datastore_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_file_or_datastore_format;

//Virtualization Story - Fomrat: VM Operations
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_vm_operations_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_vm_operation_format;

//Virtualization Story - Fomrat: vSphere Task events
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_vsphere_task_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_vsphere_task_format;

//Virtualization Story - Fomrat: Host Events
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_host_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_host_event_format;

//Virtualization Story - Fomrat: Scheduled Task
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_scheduled_task_event
| call vmware_vcenter_common_fields
| call vmware_vcenter_scheduled_task_format;

//Virtualization Story - Fomrat: vcsa-audit
call vmware_vcenter_virtualization_classification
| filter is_virtualization
| filter is_vcsa_audit
| call vmware_vcenter_common_fields
| call vmware_vcenter_vcsa_audit_format;

/// End of Virtualization Story Enhancement

// sps (Storage management service) events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "sps" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    process_identifier = arrayindex(regextract(syslog_msg, "\[([\w-]+)\]\s+\w+\s+opId="), 0),
    thread_id = to_integer(arrayindex(regextract(syslog_msg, "thread\-(\d+)\]"), 0)),
    msg_severity = arrayindex(regextract(syslog_msg, "\[[\w-]+\]\s+(\w+)"), 0),
    operation_id = arrayindex(regextract(syslog_msg, "opId=(\S+)"), 0),
    app_component = arrayindex(regextract(syslog_msg, "opId=\S*\s+(\S+)"), 0),
    event_payload = arrayindex(regextract(syslog_msg, "opId=\S*\s+\S+\s+\-\s+(.+)"), 0)
| alter 
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    datastore = arrayindex(regextract(event_payload, "datastore=(\S+)"), 0),
    duration_ms = to_integer(coalesce(arrayindex(regextract(event_payload, "took\s+(\d+)\s+millis"), 0),
                   arrayindex(regextract(event_payload, "Time\s+taken:\s+(\d+)\s+ms"), 0))),
    url = arrayindex(regextract(event_payload, "(https:\S+)"), 0)
| alter 
    port = to_integer(arrayindex(regextract(url, ":(\d+)"), 0))
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.duration = duration_ms,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.session_context_id = operation_id,
    xdm.source.application.name = app_component, 
    xdm.source.host.hostname = syslog_hostname, 
    xdm.source.process.thread_id = thread_id,
    xdm.source.process.name = event_type,
    xdm.source.process.identifier = process_identifier,  
    xdm.target.port = port,
    xdm.target.url = url,
    xdm.target.resource.type = if(datastore != null, "datastore"),
    xdm.target.resource.value = datastore;

// vpxd-svcs-perf events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vpxd-svcs-perf" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    process_identifier = arrayindex(regextract(syslog_msg, "\w+\s+\[(\S+)"), 0),
    thread_id = to_integer(arrayindex(regextract(syslog_msg, "pool\-\d+\-thread\-(\d+)"), 0)),
    msg_severity = arrayindex(regextract(syslog_msg, "(\w+)\s+\S+\s+opId="), 0),
    app_component = arrayindex(regextract(syslog_msg, "\w+\s+(\S+)\s+opId="), 0),
    operation_id = arrayindex(regextract(syslog_msg, "opId=([^\]]+)"), 0),
    operation = arrayindex(regextract(syslog_msg, "Operation (\S+) took"), 0), 
    event_payload = arrayindex(regextract(syslog_msg, "opId=\S*\]\s+(.+)"), 0), 
    duration_ms = to_integer(arrayindex(regextract(syslog_msg, "took\s+(\d+)\s+ms"), 0)) 
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field 
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.operation_sub_type = operation, 
    xdm.event.duration = duration_ms,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.application_protocol = if(event_payload ~= "LDAP", "LDAP"),
    xdm.network.ldap.operation = if(event_payload ~= "Requesting LDAP connection", XDM_CONST.LDAP_OPERATION_BIND_REQUEST), 
    xdm.session_context_id = operation_id,
    xdm.source.process.thread_id = thread_id,
    xdm.source.process.name = event_type,
    xdm.source.process.identifier = process_identifier,
    xdm.source.application.name = app_component, 
    xdm.source.host.hostname = syslog_hostname;

// vpxd-main (VMware vCenter-Services), vsan-health-main (virtual storage area network health service) & vum-vmacore (vSphere Update Manager) events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type in( "vsan-health-main", "vpxd-main", "vum-vmacore", "StatsMonitor", "vdtc-main") and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
    pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
    operation_id = arrayindex(regextract(syslog_msg, "opI[dD]=([\w-]+)"), 0),
    sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0),
    user = replex(coalesce(arrayindex(regextract(syslog_msg, "GetUserInfo\w+\(([^,]+)"), 0), arrayindex(regextract(syslog_msg, "user:\s*(\S+)"), 0), arrayindex(regextract(syslog_msg, ":\s*User\s+(\S+)"), 0), arrayindex(regextract(syslog_msg, "]\s+User[\s:]+([^\s,]+)"), 0)), "\\+", "\\"),
    http_response_code = arrayindex(regextract(syslog_msg, "code:\s+(\d+)"), 0),
    event_payload = coalesce(arrayindex(regextract(syslog_msg, "\w+=\S+\]\s+(.+)"), 0), trim(arrayindex(regextract(syslog_msg, "v\[\d+\]\s+\[.+?\]\s+(.+)"), 0), "--"), syslog_msg )
| alter 
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    session_id = coalesce(arrayindex(regextract(event_payload, "session[\:\s\[\<]*([a-fA-F\d\-]{8,})"), 0), arrayindex(regextract(event_payload, "--\s+([a-fA-F\d-]{8,})"), 0))
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.session_id = session_id,
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
    xdm.session_context_id = operation_id, 
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.process.pid = pid, 
    xdm.source.process.name = event_type,
    xdm.source.application.name = sub_module, 
    xdm.source.host.hostname = syslog_hostname;

// dnsmasq events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "dnsmasq" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
    event_payload = arrayindex(regextract(syslog_msg, "dnsmasq\[\d+\]:\s+(.+)"), 0)
| alter 
    // extract the severity from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
    dns_event_fields = regextract(event_payload, "(\S+)")
| alter 
    dns_operation = arrayindex(dns_event_fields, 0),
    dns_record_name = arrayindex(dns_event_fields, 1),
    dns_direction_context = arrayindex(dns_event_fields, 2),
    dns_record_value = arrayindex(dns_event_fields, 3)
| alter 
    dns_query_type = arrayindex(regextract(dns_operation, "query\[([^\]]+)"), 0),
    dns_client_ipv4 = if(dns_direction_context = "from" and dns_record_value ~= "\d+\.", dns_record_value),
    dns_client_ipv6 = if(dns_direction_context = "from" and dns_record_value ~= "[\da-fA-F]+:", dns_record_value),
    dns_forwarder_ipv4 = if(dns_operation = "forwarded" and dns_record_value ~= "\d+\.", dns_record_value),
    dns_forwarder_ipv6 = if(dns_operation = "forwarded" and dns_record_value ~= "[\da-fA-F]+:", dns_record_value)
| alter 
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.operation_sub_type = dns_operation, 
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.intermediate.ipv4 = dns_forwarder_ipv4, 
    xdm.intermediate.ipv6 = dns_forwarder_ipv6,
    xdm.network.application_protocol = "DNS",
    xdm.network.dns.dns_resource_record.type = if(dns_record_value ~= "CNAME", XDM_CONST.DNS_RECORD_TYPE_CNAME), 
    xdm.network.dns.dns_resource_record.name = dns_record_name, 
    xdm.network.dns.dns_resource_record.value = if(dns_direction_context = "is", dns_record_value), 
    xdm.network.dns.dns_question.type = if(dns_query_type="A",XDM_CONST.DNS_RECORD_TYPE_A, dns_query_type="AAAA",XDM_CONST.DNS_RECORD_TYPE_AAAA, dns_query_type="AFSDB",XDM_CONST.DNS_RECORD_TYPE_AFSDB, dns_query_type="APL",XDM_CONST.DNS_RECORD_TYPE_APL, dns_query_type="CAA",XDM_CONST.DNS_RECORD_TYPE_CAA, dns_query_type="CDNSKEY",XDM_CONST.DNS_RECORD_TYPE_CDNSKEY, dns_query_type="CDS",XDM_CONST.DNS_RECORD_TYPE_CDS, dns_query_type="CERT",XDM_CONST.DNS_RECORD_TYPE_CERT, dns_query_type="CNAME",XDM_CONST.DNS_RECORD_TYPE_CNAME, dns_query_type="CSYNC",XDM_CONST.DNS_RECORD_TYPE_CSYNC, dns_query_type="DHCID",XDM_CONST.DNS_RECORD_TYPE_DHCID, dns_query_type="DLV",XDM_CONST.DNS_RECORD_TYPE_DLV, dns_query_type="DNAME",XDM_CONST.DNS_RECORD_TYPE_DNAME, dns_query_type="DNSKEY",XDM_CONST.DNS_RECORD_TYPE_DNSKEY, dns_query_type="DS",XDM_CONST.DNS_RECORD_TYPE_DS, dns_query_type="EUI48",XDM_CONST.DNS_RECORD_TYPE_EUI48, dns_query_type="EUI64",XDM_CONST.DNS_RECORD_TYPE_EUI64, dns_query_type="HINFO",XDM_CONST.DNS_RECORD_TYPE_HINFO, dns_query_type="HIP",XDM_CONST.DNS_RECORD_TYPE_HIP, dns_query_type="HTTPS",XDM_CONST.DNS_RECORD_TYPE_HTTPS, dns_query_type="IPSECKEY",XDM_CONST.DNS_RECORD_TYPE_IPSECKEY, dns_query_type="KEY",XDM_CONST.DNS_RECORD_TYPE_KEY, dns_query_type="KX",XDM_CONST.DNS_RECORD_TYPE_KX, dns_query_type="LOC",XDM_CONST.DNS_RECORD_TYPE_LOC, dns_query_type="MX",XDM_CONST.DNS_RECORD_TYPE_MX, dns_query_type="NAPTR",XDM_CONST.DNS_RECORD_TYPE_NAPTR, dns_query_type="NS",XDM_CONST.DNS_RECORD_TYPE_NS, dns_query_type="NSEC",XDM_CONST.DNS_RECORD_TYPE_NSEC, dns_query_type="NSEC3",XDM_CONST.DNS_RECORD_TYPE_NSEC3, dns_query_type="NSEC3PARAM",XDM_CONST.DNS_RECORD_TYPE_NSEC3PARAM, dns_query_type="OPENPGPKEY",XDM_CONST.DNS_RECORD_TYPE_OPENPGPKEY, dns_query_type="PTR",XDM_CONST.DNS_RECORD_TYPE_PTR, dns_query_type="RRSIG",XDM_CONST.DNS_RECORD_TYPE_RRSIG, dns_query_type="RP",XDM_CONST.DNS_RECORD_TYPE_RP, dns_query_type="SIG",XDM_CONST.DNS_RECORD_TYPE_SIG, dns_query_type="SMIMEA",XDM_CONST.DNS_RECORD_TYPE_SMIMEA, dns_query_type="SOA",XDM_CONST.DNS_RECORD_TYPE_SOA, dns_query_type="SRV",XDM_CONST.DNS_RECORD_TYPE_SRV, dns_query_type="SSHFP",XDM_CONST.DNS_RECORD_TYPE_SSHFP, dns_query_type="SVCB",XDM_CONST.DNS_RECORD_TYPE_SVCB, dns_query_type="TA",XDM_CONST.DNS_RECORD_TYPE_TA, dns_query_type="TKEY",XDM_CONST.DNS_RECORD_TYPE_TKEY, dns_query_type="TLSA",XDM_CONST.DNS_RECORD_TYPE_TLSA, dns_query_type="TSIG",XDM_CONST.DNS_RECORD_TYPE_TSIG, dns_query_type="TXT",XDM_CONST.DNS_RECORD_TYPE_TXT, dns_query_type="URI",XDM_CONST.DNS_RECORD_TYPE_URI, dns_query_type="ZONEMD",XDM_CONST.DNS_RECORD_TYPE_ZONEMD, to_string(dns_query_type)),
    xdm.source.process.pid = pid, 
    xdm.source.process.name = event_type,
    xdm.source.ipv4 = dns_client_ipv4, 
    xdm.source.ipv6 = dns_client_ipv6,
    xdm.source.host.hostname = syslog_hostname;

// analytics events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "analytics" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    msg_internal_header =  arrayfilter(split(arrayindex(regextract(syslog_msg, "(\d{4}\-\S+\s+\S+\s+\S+\s+\S+)"), 0)), len("@element") > 0),
    event_payload = arrayindex(regextract(syslog_msg, "\d{4}\-\S+\s+\S+\s+\S+\s+\S+(.+)"), 0),
    json_payload = arrayindex(regextract(syslog_msg, "\-\-\>(\{.+\})"), 0)
| alter 
    // internal header fields 
    thread_identifier = arrayindex(msg_internal_header, 1),
    msg_severity = uppercase(arrayindex(msg_internal_header, 2)), 
    application_component_class = arrayindex(msg_internal_header, 3)
| alter 
    // payload fields 
    target_url =  arrayindex(regextract(event_payload, "(https?\S+)"), 0), 
    collectorID = coalesce(arrayindex(regextract(event_payload, "collectorId[:=]([\w\.\-]+\w)"), 0), arrayindex(regextract(event_payload, "spec\s+for\s+([\w\.\-]+\w)"), 0)),
    collectorInstanceID = arrayindex(regextract(event_payload, "[iI]nstanceId[:=]([\w\.\-]+)"), 0),
    trust_store_path = arrayindex(regextract(event_payload, "trust\s+store\s+at\s+path:\s+(\S+)"), 0),
    reason = coalesce(arrayindex(regextract(event_payload, "Reason\:\s*(\S{3}.+)"), 0), arrayindex(regextract(event_payload, "The\s+reason[^\:]+\:(.+);"), 0)),
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    http_response_code = json_payload -> status, // for json payloads 
    api_endpoint_path = json_payload -> path // for json payloads 
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = coalesce(json_payload, syslog_msg),
    xdm.event.outcome = if(event_payload ~= "fail", XDM_CONST.OUTCOME_FAILED),
    xdm.event.outcome_reason = reason,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.http.url = coalesce(target_url, api_endpoint_path),
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)), 
    xdm.observer.name = collectorID,
    xdm.observer.unique_identifier = collectorInstanceID,
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.application.name = application_component_class, 
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.type = if(trust_store_path != null, "Trust Store Path"),
    xdm.target.resource.value = trust_store_path;

// eam-access (VMware ESX Agent Manager Access) events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "eam-access" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter tomcat_access_log_fields = arrayindex(regextract(syslog_msg, "(\".+)"), 0)
| alter 
    client_remote_machine = arrayindex(regextract(syslog_msg, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0),
    server_local_address = arrayindex(regextract(syslog_msg, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 1),
    thread_identifier = arrayindex(regextract(syslog_msg, "\[(\S+)\]"), 0),
    http_method = arrayindex(regextract(tomcat_access_log_fields, "\"(\w+)"), 0),
    uri = arrayindex(regextract(tomcat_access_log_fields, "\"\w+\s+(\S+)"), 0),
    http_response_code = arrayindex(regextract(tomcat_access_log_fields, "\"\s+(\d+)"), 0),
    bytes_sent = to_number(arrayindex(regextract(tomcat_access_log_fields, "\d+\s+(\d+)"), 0)),
    process_time_ms = to_integer(arrayindex(regextract(_raw_log, "time\s+(\d+)\s+msec"), 0)),
    user_agent = arrayindex(regextract(tomcat_access_log_fields, "\]\s+\"([^\"]+)"), 0),
    // extract the severity from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.duration = process_time_ms,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.http.url = uri, 
    xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)), 
    xdm.source.ipv4 = client_remote_machine,
    xdm.source.user_agent = user_agent, 
    xdm.source.sent_bytes = bytes_sent, 
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.value = uri,
    xdm.target.ipv4 = server_local_address;

// envoy-access events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "envoy-access" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
    pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
    sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0),
    event_payload = coalesce(arrayindex(regextract(syslog_msg, "\w+=\S+\]\s+(.+)"), 0), trim(arrayindex(regextract(syslog_msg, "v\[\d+\]\s+\[.+?\]\s+(.+)"), 0), "--"), syslog_msg )
| alter envoy_proxy_access_log_fields = regextract(event_payload, "\S+")
| alter 
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    http_method = ltrim(arrayindex(envoy_proxy_access_log_fields, 1), "\""),
    uri = arrayindex(envoy_proxy_access_log_fields, 2),
    http_protocol = rtrim(arrayindex(envoy_proxy_access_log_fields, 3), "\""),
    http_response_code = arrayindex(envoy_proxy_access_log_fields, 4),
    bytes_received = to_number(arrayindex(envoy_proxy_access_log_fields, 7)),
    bytes_sent = to_number(arrayindex(envoy_proxy_access_log_fields, 8)),
    client_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 12), "(\d+[^\:]+)"), 0),
    client_port = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 12), ":(\d{1,5})"), 0),
    server_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 13), "(\d+[^\:]+)"), 0),
    server_port = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 13), ":(\d{1,5})"), 0),
    client2_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 14), "(\d+[^\:]+)"), 0),
    proxy_ip = arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 15), "(\d+[^\:]+)"), 0),
    proxy_port = to_integer(arrayindex(regextract(arrayindex(envoy_proxy_access_log_fields, 15), ":(\d{1,5})"), 0))
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.intermediate.ipv4 = proxy_ip, 
    xdm.intermediate.host.ipv4_addresses = arraycreate(proxy_ip),
    xdm.intermediate.port = proxy_port,
    xdm.network.application_protocol = http_protocol, 
    xdm.network.http.url = uri, 
    xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)), 
    xdm.source.application.name = sub_module, 
    xdm.source.ipv4 = client_ip,
    xdm.source.port = to_integer(client_port), 
    xdm.source.host.ipv4_addresses = arraycreate(client_ip, client2_ip),
    xdm.source.sent_bytes = bytes_sent, 
    xdm.source.process.pid = pid, 
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.sent_bytes = bytes_received,
    xdm.target.resource.value = uri,
    xdm.target.port = to_integer(server_port),
    xdm.target.ipv4 = server_ip,
    xdm.target.host.ipv4_addresses = arraycreate(server_ip);

//  trustmanagement-gc 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "trustmanagement-gc" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// trustmanagement-svcs
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "trustmanagement-svcs" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    thread_identifier = arrayindex(regextract(syslog_msg, "\w+\s+\[([\w-]+)\s+"), 0),
    msg_severity = arrayindex(regextract(syslog_msg, "(\w+)\s+\S+\s+opId="), 0),
    app_class_component = arrayindex(regextract(syslog_msg, "\w+\s+(\S+)\s+opId="), 0),
    operation_id = arrayindex(regextract(syslog_msg, "opId=([^\]]+)"), 0),
    event_payload = arrayindex(regextract(syslog_msg, "opId=\S*\]\s+(.+)"), 0)
| alter 
    user = replex(coalesce(arrayindex(regextract(event_payload, "User (\S+)"), 0), arrayindex(regextract(event_payload, "\[value=([^,]+)"), 0)), "\\+", "\\"),
    group = regextract(event_payload, "group (\S+)"),
    ms = to_integer(coalesce( arrayindex(regextract(event_payload, "(?:ms|Ms|MS)(?:\W+|\s+)(\d+)"), 0), arrayindex(regextract(event_payload, "(\d+)\s+ms"), 0))),
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.duration = ms, 
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.session_context_id = operation_id,
    xdm.source.application.name = app_class_component, 
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.user.groups = group, 
    xdm.source.host.hostname = syslog_hostname;

// eam-api
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "eam-api" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    msg_severity = arrayindex(regextract(syslog_msg, "\|\s*(\w+)"), 0),
    module = arrayindex(regextract(syslog_msg, "\|\s*(\w+)"), 1),
    app_component = arrayindex(regextract(syslog_msg, "\|\s*(\S+)"), 2),
    pid = to_integer(arrayindex(regextract(syslog_msg, "\|\s*(\d+)\s*\|"), 0)),
    event_payload = arrayindex(regextract(syslog_msg, "\|\s*([^\|]+)"), 4)
| alter 
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    operation_id = arrayindex(regextract(event_payload, "opId=([\w\-]+)"), 0),
    session_id = arrayindex(regextract(event_payload, "sessionId=([\w\-]+)"), 0)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.session_id = session_id,
    xdm.session_context_id = operation_id,
    xdm.source.application.name = coalesce(app_component, module),
    xdm.source.process.pid = pid, 
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// wcpsvc
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "wcpsvc" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "\S+\s+(\w+)"), 0)),
    module = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+(\w+)"), 0),
    module_id = arrayindex(regextract(syslog_msg, "\w+\s+\[([^\]]+)\]"), 0),
    operation_id = arrayindex(regextract(syslog_msg, "opId=([\w\-]+)"), 0),
    target_hosts = regextract(syslog_msg, "Hostname:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),
    target_port = to_integer(arrayindex(regextract(syslog_msg, "Port:(\d+)"), 0))
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.session_context_id = operation_id,
    xdm.source.application.name = coalesce(module, module_id),
    xdm.source.process.identifier = module_id,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.port = target_port,
    xdm.target.host.ipv4_addresses = target_hosts;

// ui-threadmonitor
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "ui-threadmonitor" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "\S+\s+\[\s*(\w+)"), 0)),
    module = arrayindex(regextract(syslog_msg, "\]\s+([\w\-]+)"), 0),
    application_component = arrayindex(regextract(syslog_msg, "\]\s+[\w\-]+\s+(\S+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.application.name = coalesce(application_component, module),
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// ssoadminserver 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "ssoadminserver" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    process_identifier = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+\w+\[([^\]]+)"), 0),
    thread_id = to_integer(arrayindex(regextract(syslog_msg, "thread\-(\d+)\]"), 0)),
    msg_severity = arrayindex(regextract(syslog_msg, "\S+\s+(\w+)"), 0),
    operation_id = arrayindex(regextract(syslog_msg, "opId=([a-fA-F\-\d]+)"), 0),
    app_component = arrayindex(regextract(syslog_msg, "opId=\S*\s+\[(\S+)\]"), 0),
    user = replex(coalesce(arrayindex(regextract(syslog_msg, "User\s*\{Name:\s*([^,]+)"), 0),
                arrayindex(regextract(syslog_msg, "SubjectNameId\s*\[value=([^\,]+)"), 0), 
                arrayindex(regextract(syslog_msg, "User\s+(\S+)\s+is"), 0)), "\\+", "\\"),
    user_domain = coalesce(arrayindex(regextract(syslog_msg, "Domain:\s*([\w\.]+)"), 0),
                  arrayindex(regextract(syslog_msg, "SubjectNameId\s*\[value=[^\@]+\@([^\,]+)"), 0)),
    user_role = regextract(syslog_msg, "role\s+\'([^\']+)")
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain_from_user = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.thread_id = thread_id,
    xdm.source.application.name = coalesce(app_component),
    xdm.session_context_id = operation_id,
    xdm.source.process.identifier = process_identifier,
    xdm.source.process.name = event_type,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = if(user_domain != null, user_domain, user_domain_from_user),
    xdm.source.user.groups = user_role, 
    xdm.source.host.hostname = syslog_hostname;

// ui-main 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "ui-main" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = arrayindex(regextract(syslog_msg, "\S+\s+\[\s*(\w+)\s*\]"), 0),
    module_identifier = arrayindex(regextract(syslog_msg, "\S+\s+\[\s*\w+\s*\]\s+(\S+)"), 0),
    event_payload = arrayindex(regextract(syslog_msg, "\S+\s+\[\s*\w+\s*\]\s+\S+\s+(.+)"), 0)
| alter 
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    session_id = coalesce(arrayindex(regextract(event_payload, "\S+\s+(\d+)\s+\S+\s+\S+"), 0), 
                          arrayindex(regextract(event_payload, "session\s+(\d+)"), 0),
                          arrayindex(regextract(event_payload, "session\s+id:\s*(\d+)"), 0),
                          arrayindex(regextract(event_payload, "sessionId\s*(\d+)"), 0)),
    ms = to_integer(arrayindex(regextract(event_payload, "(\d+)\s+ms"), 0)),
    application_component = coalesce(arrayindex(regextract(event_payload, "\S+\s+\S+\s+\S+\s+(\w+\.\w+\S+)"), 0),
                                     arrayindex(regextract(event_payload, "(\w+\.\w+\S+)"), 0))
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.duration = ms,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.session_id = session_id,
    xdm.source.application.name = application_component,
    xdm.source.process.identifier = module_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// procstate
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "procstate" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// content-library
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "content-library" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    internal_header_fields = regextract(syslog_msg, "\|\s*(\S+)"),
    event_payload =  arrayindex(regextract(syslog_msg, "\|\s*([^\|]+)"), 4)
| alter 
    msg_severity = arrayindex(internal_header_fields, 0),
    operation_id = arrayindex(internal_header_fields, 1),
    thread_identifier = arrayindex(internal_header_fields, 2),
    module = arrayindex(internal_header_fields, 3)
| alter 
    http_method = arrayindex(regextract(event_payload, "method:\s*(\S+)"), 0),
    url = arrayindex(regextract(event_payload, "url:\s*(\S+)"), 0),
    target_service = arrayindex(regextract(event_payload, "service\s+\'([^\']+)"), 0),
    operation = arrayindex(regextract(event_payload, "operation\s+\'([^\']+)"), 0),  
    wsdl_name = arrayindex(regextract(event_payload, "wsdlName=(\S+)"), 0),
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.operation_sub_type = operation, 
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
    xdm.network.http.url = url,
    xdm.source.application.name = module,
    xdm.session_context_id = operation_id,
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.value = coalesce(target_service, wsdl_name),
    xdm.target.resource.type = if(target_service != null, "Service Name", wsdl_name != null, "WSDL Name");

// vpxd-svcs-access
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vpxd-svcs-access" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    event_payload = arrayindex(regextract(syslog_msg, "\S+\s+(.+)"), 0),
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter 
    thread_identifier =  arrayindex(regextract(event_payload, "\S+\s+\S+\s+(\S+)"), 0),
    http_response_code = arrayindex(regextract(event_payload, "\S+\s+\S+\s+\S+\s+(\d+)"), 0),
    user_agent = arrayindex(regextract(event_payload, "\d{3}\s+\"([^\"]+)"), 0),
    http_method = arrayindex(regextract(event_payload, "\"\s+(\w+)"), 0),
    uri = arrayindex(regextract(event_payload, "\"\s+\w+\s+(\S+)"), 0),
    http_version = arrayindex(regextract(event_payload, "\/\S+\s+(HTTP\S+)"), 0)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
    xdm.network.http.url = uri,
    xdm.network.application_protocol = http_version,
    xdm.source.user_agent = user_agent,
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.value = uri;

// sso-tomcat & lookupsvc-localhost_access events 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type in ("sso-tomcat", "lookupsvc-localhost_access") and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
    event_payload = arrayindex(regextract(syslog_msg, "\[[^\]]+\]\s+(.+)"), 0),
    http_request_line = regextract(arrayindex(regextract(syslog_msg, "HTTP\S+\s+\w+\s+\/\S+"), 0), "(\S+)")
| alter 
    thread_identifier =  arrayindex(regextract(event_payload, "(\S+)"), 0),
    user_agent = arrayindex(regextract(event_payload, "Request\]\s+\"([^\"]+)"), 0),
    client_ip =  coalesce(arrayindex(regextract(event_payload, "Request\]\s+(\S+):\d{1,5}"), 0), 
                          arrayindex(regextract(event_payload, "Request\]\s+\"[^\"]+\"\s+[^\/]+\/(\S+):\d{1,5}"), 0)),
    client_port =  coalesce(arrayindex(regextract(event_payload, "Request\]\s+\S+:(\d{1,5})"), 0), 
                          arrayindex(regextract(event_payload, "Request\]\s+\"[^\"]+\"\s+[^\/]+\/\S+:(\d{1,5})"), 0)),
    server_ip = arrayindex(regextract(event_payload, "\"\s+(\d+[^\/]+)[^\:]+\:\d{1,5}"), 0),
    server_port = to_integer(arrayindex(regextract(event_payload, "to\s+local\s+(\d{1,5})"), 0)),
    http_version = arrayindex(http_request_line, 0),
    http_method = arrayindex(http_request_line, 1),
    uri = arrayindex(http_request_line, 2),
    bytes = to_number(arrayindex(regextract(event_payload, "(\d+)\s+bytes"), 0)),
    http_response_code = arrayindex(regextract(event_payload, "Response\]\s+(\d+)"), 0),
    process_duration_ms = to_integer(arrayindex(regextract(event_payload, "(\d+)ms"), 0))
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg, 
    xdm.event.duration = process_duration_ms,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
    xdm.network.http.url = uri,
    xdm.network.application_protocol = http_version,
    xdm.source.ipv4 = client_ip,
    xdm.source.port = to_integer(client_port), 
    xdm.source.user_agent = user_agent,
    xdm.source.sent_bytes = bytes, 
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.value = uri,
    xdm.target.ipv4 = server_ip, 
    xdm.target.port = server_port;

// vmon
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vmon" and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    event_payload = arrayindex(regextract(syslog_msg, "\S+\s+(.+)"), 0),
     // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter
    host_id = arrayindex(regextract(event_payload, "(host-\w+)"), 0),
    service = arrayindex(regextract(event_payload, "ֿ\s+\<([\w\-]+)"), 0),
    user = replex(arrayindex(regextract(event_payload, "as user (\S+)"), 0), "\\+", "\\"),
    command = coalesce(arrayindex(regextract(syslog_msg, "Constructed command:\s*(.+)"), 0),
                    arrayindex(regextract(syslog_msg, "Running\s+the\s+(.+)\s+command"), 0)),
    state =  arrayindex(regextract(event_payload, "State (\w+)"), 0),
    op = arrayindex(regextract(event_payload, "service\s+batch\s+op\s+(\w+)"), 0)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.operation_sub_type = op, 
    xdm.event.outcome = state,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.host.device_id = host_id, 
    xdm.source.process.command_line = command, 
    xdm.source.application.name = service, 
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// rhttpproxy-main
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "rhttpproxy-main" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
    pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
    sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.pid = pid,
    xdm.source.application.name = sub_module, 
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// sudo
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "sudo" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    user = replex(coalesce(arrayindex(regextract(syslog_msg, "USER=([^\s\(]+)"), 0),
                    arrayindex(regextract(syslog_msg, "for\s+user\s+([^\s\(]+)"), 0)), "\\+", "\\"),
    uid = arrayindex(regextract(syslog_msg, "uid=(\d+)"), 0),
    command = arrayindex(regextract(syslog_msg, "COMMAND=(\S+)"), 0),
    working_directory = arrayindex(regextract(syslog_msg, "PWD=(\S+)"), 0),
    process = rtrim(arrayindex(regextract(syslog_msg, "(\S+)"), 0), ":"),
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.user.identifier = uid, 
    xdm.source.process.command_line = command, 
    xdm.source.process.executable.directory = working_directory, 
    xdm.source.process.name = coalesce(process, event_type),
    xdm.source.host.hostname = syslog_hostname;

// sca-vmon.std
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "sca-vmon.std" and not is_virtualization 
| alter
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = arrayindex(regextract(syslog_msg, "(\w+):\s+"), 0),
    module = arrayindex(regextract(syslog_msg, "\w+:\s+(\w+):"), 0),
    event_payload = coalesce(arrayindex(regextract(syslog_msg, "\w+:\s+\w+:\s+(.+)"), 0),
                             arrayindex(regextract(syslog_msg, "\w{3}\s+\d{1,2},\s+\d{4}\s+\S+\s+[AP]M\s+(.+)"), 0),
                             syslog_msg)
| alter 
    user =  replex(arrayindex(regextract(event_payload, "\'([^\']+)\'\s+on\ssession"), 0), "\\+", "\\"),
    session_id =  arrayindex(regextract(event_payload, "on\ssession\s+([a-fA-F\d\-]+)"), 0),
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.outcome = if(event_payload contains "Successfully", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.session_id = session_id, 
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.application.name = module,  
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// applmgmt
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "applmgmt" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    pid = to_integer(arrayindex(regextract(syslog_msg, "\[(\d+)\]"), 0)),
    msg_severity = arrayindex(regextract(syslog_msg, "\[\d+\]\s*(\w+)\:"), 0),
    event_payload = arrayindex(regextract(syslog_msg, "\[\d+\]\s*\w+\:(.+)"), 0)
| alter 
    user =  replex(arrayindex(regextract(event_payload, "User=([^,]+)"), 0), "\\+", "\\"),
    groups = arrayfilter(regextract(arrayindex(regextract(event_payload, "groups=\{([^\}]+\})"), 0), "\'([^\']+)"), len("@element") > 2),
    file =  arrayindex(regextract(event_payload, "file\s+(\/\S+)"), 0),
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.user.groups = groups, 
    xdm.source.process.name = event_type,
    xdm.source.process.pid = pid,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.file.filename = file; 

// vstats
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vstats" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    event_payload = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+\S+\s+(.+)"), 0),
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8)))
| alter 
    resource_name = arrayindex(regextract(event_payload, "\{\"([^\"]+)"), 0),
    resource_value = arrayindex(regextract(event_payload, "\{\"[^\"]+\"\:\s*\"([^\"]+)"), 0)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.name = resource_name,
    xdm.target.resource.value = resource_value;

// vmafdd
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vmafdd" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    process_name = arrayindex(regextract(syslog_msg, "\[([^\]]+)"), 0),
    msg_severity = arrayindex(regextract(syslog_msg, "\]\[(\w+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = coalesce(process_name, event_type),
    xdm.source.host.hostname = syslog_hostname;

// certificatemanagement-svcs
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "certificatemanagement-svcs" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    process_identifier = arrayindex(regextract(syslog_msg, "\w+\s+\[(\S+)"), 0),
    thread_id = to_integer(arrayindex(regextract(syslog_msg, "pool\-\d+\-thread\-(\d+)"), 0)),
    msg_severity = arrayindex(regextract(syslog_msg, "(\w+)\s+\S+\s+opId="), 0),
    app_component = arrayindex(regextract(syslog_msg, "\w+\s+(\S+)\s+opId="), 0),
    operation_id = arrayindex(regextract(syslog_msg, "opId=([^\]]+)"), 0),
    operation = arrayindex(regextract(syslog_msg, "Operation (\S+) took"), 0), 
    ms = to_integer(arrayindex(regextract(syslog_msg, "took\s+(\d+)\s+ms"), 0)) 
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter 
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.operation_sub_type = operation,
    xdm.event.duration = ms, 
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.session_context_id = operation_id,
    xdm.source.application.name = app_component, 
    xdm.source.process.thread_id = thread_id, 
    xdm.source.process.identifier = process_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// cis-license
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "cis-license" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter 
    thread_id = to_integer(arrayindex(regextract(syslog_msg, "\S+\s+(\S+)"), 0)),
    msg_severity = coalesce(arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+(\w+)\s+"), 0),
                            arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+\S+\s+(\w+)\s+"), 0)),
    app_component = coalesce(arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+\w+\s+(\w+\.\S+)"), 0),
                            arrayindex(regextract(syslog_msg, "\S+\s+\S+\s+\S+\s+\w+\s+(\w+\.\S+)"), 0)),
    operation_id = arrayindex(regextract(syslog_msg, "operationID=(\S+)"), 0),
    user = replex(arrayindex(regextract(syslog_msg, "User\s+\'([^\']+)"), 0), "\\+", "\\")
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.session_context_id = operation_id,
    xdm.source.application.name = app_component, 
    xdm.source.process.thread_id = thread_id, 
    xdm.source.process.name = event_type,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.host.hostname = syslog_hostname;

// vdtc-main
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vdtc-main" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(\w+)\s+[\w-]+\[\d+"), 0)),
    pid = to_integer(arrayindex(regextract(syslog_msg, "[\w-]+\[(\d+)\]"), 0)),
    sub_module = arrayindex(regextract(syslog_msg, "sub=([\w-]+)"), 0)
| alter // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
| alter 
    xdm.alert.severity = severity, 
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.application.name = sub_module, 
    xdm.source.process.pid = pid,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname;

// applmgmt-audit
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "applmgmt-audit" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = arrayindex(regextract(syslog_msg, "\S+\s+(\w+)"), 0),
    event_payload = arrayindex(regextract(syslog_msg, "\S+\s+\w+\s+(.+)"), 0)
| alter 
    user = replex(coalesce(arrayindex(regextract(event_payload, "User=([^,]+)"), 0),
                    rtrim(arrayindex(regextract(event_payload, "user\s*:\s*(\S+)"), 0), ".")), "\\+", "\\"),
    auth_method = arrayindex(regextract(event_payload, "method=(\w+)"), 0), 
    status = arrayindex(regextract(event_payload, "Status\s*:\s*(\w+)"), 0), 
    is_authorized = arrayindex(regextract(event_payload, "authorized=(\w+)"), 0), 
    privileges = regextract(event_payload, "priv=(\w+)"),
    service_id = arrayindex(regextract(event_payload, "service_id:\s*([\w\.]+)"), 0),
    operation_id = arrayindex(regextract(event_payload, "operation_id:\s*([\w\.]+)"), 0),
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity, 
    xdm.auth.auth_method = auth_method,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.outcome = if(status = "Success" or is_authorized = "True", XDM_CONST.OUTCOME_SUCCESS, is_authorized = "False", XDM_CONST.OUTCOME_FAILED, status),
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.session_context_id = operation_id,
    xdm.source.process.name = event_type,
    xdm.intermediate.process.identifier = service_id,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.user.groups = privileges,
    xdm.source.host.hostname = syslog_hostname;

// vapi-endpoint-access
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vapi-endpoint-access" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
    thread_identifier = arrayindex(regextract(syslog_msg, "\|\s*(\S+)"), 0),
    event_payload = arrayindex(regextract(syslog_msg, "\|\s*[^\|]+\s+\|\s*(.+)"), 0),
    http_request_line = regextract(arrayindex(regextract(syslog_msg, "\"(\w+\s+\/\S+\s+HTTP\S[^\"]+)"), 0), "(\S+)")
| alter 
    http_method = arrayindex(http_request_line, 0), 
    uri = arrayindex(http_request_line, 1), 
    http_version = arrayindex(http_request_line, 2),
    http_response_code = arrayindex(regextract(event_payload, "\"\s+(\d+)\s+\d+"), 0),
    bytes = to_integer(arrayindex(regextract(event_payload, "\"\s+\d+\s+(\d+)"), 0)),
    user_agent = arrayindex(regextract(event_payload, "\"\s+\"([^\"]+)\"\s+\d+"), 0),
    session_id = arrayindex(regextract(event_payload, "id\s+([a-fA-F\d\-]+)"), 0),
    service = arrayindex(regextract(event_payload, "service\s+([\w\.]+)"), 0)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.network.session_id = session_id, 
    xdm.network.http.method = if(http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(http_method)),
    xdm.network.http.response_code = if(http_response_code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, http_response_code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, http_response_code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, http_response_code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, http_response_code = "200", XDM_CONST.HTTP_RSP_CODE_OK, http_response_code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, http_response_code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, http_response_code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, http_response_code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, http_response_code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, http_response_code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, http_response_code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, http_response_code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, http_response_code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, http_response_code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, http_response_code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, http_response_code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, http_response_code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, http_response_code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, http_response_code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, http_response_code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, http_response_code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, http_response_code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, http_response_code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, http_response_code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, http_response_code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, http_response_code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, http_response_code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, http_response_code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, http_response_code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, http_response_code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, http_response_code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, http_response_code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, http_response_code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, http_response_code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, http_response_code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, http_response_code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, http_response_code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, http_response_code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, http_response_code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, http_response_code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, http_response_code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, http_response_code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, http_response_code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, http_response_code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, http_response_code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, http_response_code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, http_response_code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, http_response_code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, http_response_code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, http_response_code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, http_response_code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, http_response_code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, http_response_code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, http_response_code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, http_response_code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, http_response_code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, http_response_code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, http_response_code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, http_response_code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, http_response_code = null, null, to_string(http_response_code)),
    xdm.network.http.url = uri,
    xdm.network.application_protocol = http_version,
    xdm.source.user_agent = user_agent,
    xdm.source.sent_bytes = bytes,
    xdm.source.process.identifier = thread_identifier,
    xdm.source.process.name = event_type,
    xdm.source.host.hostname = syslog_hostname,
    xdm.target.resource.value = uri,
    xdm.target.application.name = service;

// crond
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "crond" and not is_virtualization 
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    // since the log does not include an explicit severity, extract it from the syslog header priority field   
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
    user = replex(arrayindex(regextract(syslog_msg, "\(([^\)]+)"), 0), "\\+", "\\"),
    command = arrayindex(regextract(syslog_msg, "CMD\s+\(\s*([^\)]+)"), 0)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter 
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = event_type,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.process.command_line = command,
    xdm.source.host.hostname = syslog_hostname;

//vpxd
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type = "vpxd" and not is_virtualization
| alter
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0),
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    msg_severity = uppercase(arrayindex(regextract(syslog_msg, "(?:\[[^\]]+\]\s){4}\[([^\]]+)\]"), 0)),
    user = replex(coalesce(
                            arrayindex(regextract(syslog_msg, "(?:\[[^\]]+\]\s){5}\[([^\]]+)\]"), 0),
                            arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[.*?login has failed for\s*\'\$?\{*([^@]+)"), 0)
                            ), "\\+", "\\"),
    ip =  trim(coalesce(arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[.*?\sfrom\s(\S+)\s"), 0),
                   arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[[^\]]*@([^@\s\]\']+)"), 0)), ":")
| alter
    // map the msg severity to RFC 5424 standard values, if the log does not include an explicit severity, extract it from the syslog header priority field
    severity = if(msg_severity = null, to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))), msg_severity ~= "DEBUG|VERBOSE", "7", msg_severity ~= "INFO", "6", msg_severity ~= "NOTICE", "5", msg_severity ~= "WARN", "4", msg_severity ~= "ERROR", "3", msg_severity ~= "CRITICAL", "2", msg_severity ~= "ALERT", "1", msg_severity ~= "EMERGENCY", "0", msg_severity),
    source_ip4 = if(ip ~= "(?:\d{1,3}\.){3}\d{1,3}", ip, null),
    source_ip6 = if(ip ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", ip, null),
    outcome = arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[([^\]]*)"), 0)
// User field manipulations
| alter
    user_name = if(user contains """\\""", arrayindex(regextract(arrayindex(split(user, """\\"""), -1), "([^@]+)@?"), 0), user contains "@", arrayindex(split(user, "@"), 0), user),
    user_domain = if(user contains """\\""", arrayindex(split(user, """\\"""), 0), user contains "@", arrayindex(split(user, "@"), -1), null)
| alter
    xdm.alert.severity = severity,
    xdm.event.type = event_type,
    xdm.event.outcome = if(lowercase(outcome) contains "fail", XDM_CONST.OUTCOME_FAILED, lowercase(outcome) contains "cannot", XDM_CONST.OUTCOME_FAILED, lowercase(outcome) contains "success", XDM_CONST.OUTCOME_SUCCESS, null),
    xdm.event.outcome_reason = outcome,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = event_type,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = user_domain,
    xdm.source.host.hostname = syslog_hostname,
    xdm.source.ipv4 = source_ip4,
    xdm.source.ipv6 = source_ip6,
    xdm.source.user_agent = arrayindex(regextract(syslog_msg, "(?:\[[^\]]*\]\s){8}\[.*?\suser agent:\s([^\)]+)"), 0);

// general fallback mapping for all other event types which are currently not mapped explicitly 
call vmware_vcenter_virtualization_classification
| alter event_type = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+(\S+)"), 0)
| filter event_type NOT IN ("analytics", "applmgmt", "applmgmt-audit", "certificatemanagement-svcs", "cis-license", "content-library", "crond", "dnsmasq", "eam-access", "eam-api", "envoy-access", "lookupsvc-localhost_access", "procstate", "rhttpproxy-main", "sca-vmon.std", "sps", "sso-tomcat", "ssoadminserver", "StatsMonitor", "sudo", "trustmanagement-gc", "trustmanagement-svcs", "ui-main", "ui-threadmonitor", "vapi-endpoint-access", "vdtc-main", "vmafdd", "vmon", "vpxd-main", "vpxd-svcs-access", "vpxd-svcs-perf", "vsan-health-main", "vstats", "vum-vmacore", "vum-vmacore", "wcpsvc", "vpxd") and not is_virtualization
| alter 
    syslog_priority = to_integer(arrayindex(regextract(_raw_log, "^\<(\d{1,3})\>\S+"), 0)),
    syslog_hostname = arrayindex(regextract(_raw_log, "\<\d{1,3}\>\S+\s+\S+\s+(\S+)"), 0), 
    syslog_msg = arrayindex(regextract(_raw_log, "^\<\d{1,3}\>\d+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+\S+\s+(.+)"), 0)
| alter
    operation_id = arrayindex(regextract(syslog_msg, "opI[dD]=([\w\-]+)"), 0),
    severity = to_string(subtract(syslog_priority, multiply(floor(divide(syslog_priority, 8)), 8))),
    username = replex(coalesce(arrayindex(regextract(syslog_msg, "USER=([^\S\(]+)"), 0),
                    arrayindex(regextract(syslog_msg, "for\s+user\s+\[?([^\s\]]+)"), 0),
                    arrayindex(regextract(_raw_log, "User\s\'*([^\@]+)\@"),0),
                    arrayindex(regextract(syslog_msg, "for\suser[\s:]+\{Name:\s*([^,]+)"), 0),
                    arrayindex(regextract(_raw_log, "Username=\'([^\']+)\'"),0)), "\\+", "\\"),
    user_domain = arrayindex(regextract(syslog_msg, "for\suser[\s:]+\{Name:\s*[^,]+,\sDomain:\s*([^\}]+)"), 0)
// User field manipulations
| alter
    user_name = if(username contains """\\""", arrayindex(regextract(arrayindex(split(username, """\\"""), -1), "([^@]+)@?"), 0), username contains "@", arrayindex(split(username, "@"), 0), username),
    user_domain_from_username = if(username contains """\\""", arrayindex(split(username, """\\"""), 0), username contains "@", arrayindex(split(username, "@"), -1), null)
| alter
    xdm.event.type = event_type,
    xdm.event.description = syslog_msg,
    xdm.event.log_level = if(severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY , severity = "1", XDM_CONST.LOG_LEVEL_ALERT , severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, severity = "3", XDM_CONST.LOG_LEVEL_ERROR, severity = "4", XDM_CONST.LOG_LEVEL_WARNING, severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, severity = "7", XDM_CONST.LOG_LEVEL_DEBUG, severity),
    xdm.source.process.name = event_type,
    xdm.source.user.username = user_name,
    xdm.source.user.domain = if(user_domain != null, user_domain, user_domain_from_username),
    xdm.session_context_id = operation_id,
    xdm.source.host.hostname = syslog_hostname;

Schema

vmware_vcenter_raw

Field Type Array?
_raw_log string
parsed_fields string
Raw JSON
{
  "vmware_vcenter_raw": {
    "_raw_log": {
      "type": "string",
      "is_array": false
    },        
    "parsed_fields": {
      "type": "string",
      "is_array": false
    }
  }
}