Arcsight flexConnector for Fail2Ban

Posted on by testsoft
flexconnector-fail2ban 
#fail2ban 2020-12-01 05:01:08,966 fail2ban.filter         [893]: INFO    [sshd] Found 1.1.1.1 - 2020-12-01 05:01:08
regex=(fail2ban)\\s+(.*)

token.count=2
token[0].name=type
token[0].type=String
token[1].name=body
token[1].type=String

event.deviceVendor=__stringConstant("fail2ban")
event.deviceProduct=__stringConstant("fail2ban")
event.sourceUserPrivileges=__stringConstant("fail2ban")
event.deviceProcessName=__stringConstant("fail2ban")

event.flexString2=body
event.flexString2Label=__stringConstant("raw")
event.name=type
event.message=body

submessage.messageid.token=type
submessage.token=body
submessage.count=1

submessage[0].messageid=fail2ban
submessage[0].pattern.count=1

#2020-12-01 06:23:17,883 fail2ban.filter         [893]: INFO    [sshd] Found 1.1.1.1 - 2020-12-01 06:23:17
submessage[0].pattern[0].regex=(\\d+\\-\\d+\\-\\d+\\s+\\d+\\:\\d+\\:\\d+\\,\\d+)\\s+([^\\s]+)\\s+\\[(\\d+)\\]\\:\\s+(\\w+)\\s+\\[([^]]+)\\]\\s+((Found|Ban|Unban)?\\s+(\\d+.\\d+.\\d+.\\d+)?.*)
submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5|$6|$7|$8
submessage[0].pattern[0].fields=event.deviceCustomString1,event.name,event.deviceCustomString4,event.deviceSeverity,event.targetProcessName,event.message,event.deviceAction,event.attackerAddress
submessage[0].pattern[0].extramappings=event.name\=__concatenate($2," ",$5)|event.deviceSeverity=__toLowerCase($4)|event.deviceCustomString1Label=__stringConstant("time_local")|event.deviceCustomString4Label=__stringConstant("pid")

#$1		-	event.deviceCustomString1	-	time_local
#$2		-	event.name
#$3		-	event.deviceCustomString4	-	pid
#$4		-	event.deviceSeverity		-	
#$5		-	event.targetProcessName		-
#$6		-	event.message			-	
#$7		-	event.deviceAction		-	
#$8		-	event.attackerAddress		-

#submessage[1].pattern.count=1
#submessage[1].pattern[0].regex=(.*)
#submessage[1].pattern[0].fields=event.message
#submessage[1].pattern[0].extramappings=event.reason=__stringConstant("unparsed")