2017-09-29 08:52 AM
How do we properly categorize events with different fields populating needed information to categorize the event?
Sample Log:
2017-09-28 15:14:31.930^^AUDIT^^User Management Service^^samplehost^^Logged in. User's last login date updated^^themountain@westoros^^Login^^SUCCESS
Login and success are parsed two different fields. How do we categorize events that have multiple values to properly categorize this. This event would be categorized as :
One of the two :
User.Activity.Successful Logins
Auth.Successful
2017-10-03 05:48 AM
Hi Joseph Gumke,
I understand Login and Success meta values coming in two different meta keys and you would like to categorize the event. Please use Application rule to categorize when two values found in the event.
2017-10-04 11:54 AM
what inside of the log parser can we do this with? Its not sustainable for any customer to have hundreds/thousands of app rules to manage/deploy (ensure they are consistently deployed).
2017-10-04 12:05 PM
Hi XDudADtNBir2yWTvsAvML3S8A4BmZKPAABc5iGXZy0M=,
Yes. We can customize the existing parser using ESI tool. Please use below screenshot for reference.
1. Identify the message ID
2. Then mention Event Category
2017-10-04 12:12 PM
thats statically assigning values to categories, which is not a good practice. we leverage tag value maps to make our parsers dynamic as possible, the less the amount of header/message parsers the better. So we now have situations where we cannot statically assign a category (successful authentication for instance) to an event that populates event.type = login, and result = successful to two different tags. I need a method where we can use the log parsing engine to properly categorize events that placed in two separate tags, and using some advanced logic to properly categorize events.