Hello to the community!
I have the following jboss log:
[2018-12-07 14:17:23,661] [INFO] [xxx.common.ldap.connections.TimedAuthenticator] (default task-4) () Authentication succeeded for dn: CN=XXX,OU=YYY,DC=external,DC=ZZZ,DC=LLL
Using the jboss app, I have the following field name and value:
signature=Authentication succeeded for dn: CN=XXX,OU=YYY,DC=external,DC=ZZZ,DC=LLL
How can I keep this value and on top of that create the following name/values:
event=Authentication succeeded
action=success
user=XXX
src_bunit=YYY
My goal is to normalize the logs and map them to CIM in order to be parsed properly by Enterprise Security App.
Any clues?
You can use FIELDALIAS
in props.conf. Or use an eval
at search time.
You can use FIELDALIAS
in props.conf. Or use an eval
at search time.