regex=(suricata)\\[.*\\]:\\s(.*)
token.count=2
token[0].name=type
token[0].type=String
token[1].name=body
token[1].type=String
event.deviceVendor=__stringConstant("suricata")
event.deviceProduct=__stringConstant("ids")
event.sourceUserPrivileges=__stringConstant("suricata")
event.deviceProcessName=__stringConstant("suricata")
event.flexString2=body
submessage.messageid.token=type
submessage.token=body
submessage.count=1
submessage[0].messageid=suricata
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=\\[\\d+:\\d+:\\d+\\]\\s+(.*)\\[Classification:\\s+([^]]+)\\].*}\\s+(\\d+.\\d+.\\d+.\\d+):\\d+\\s+\\-\\>\\s+(\\d+.\\d+.\\d+.\\d+)\\:(\\d+).*
submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5
submessage[0].pattern[0].fields=event.message,event.name,event.attackerAddress,event.targetAddress,event.targetPort
Arcsight flexConnector for Suricata
Posted on
