Arcsight flexConnector for Fail2Ban

flexconnector-fail2ban

#fail2ban 2020-12-01 05:01:08,966 fail2ban.filter [893]: INFO [sshd] Found 1.1.1.1 – 2020-12-01 05:01:08 regex=(fail2ban)\\s+(.*) token.count=2 token[0].name=type token[0].type=String token[1].name=body token[1].type=String event.deviceVendor=__stringConstant(“fail2ban”) event.deviceProduct=__stringConstant(“fail2ban”) event.sourceUserPrivileges=__stringConstant(“fail2ban”) event.deviceProcessName=__stringConstant(“fail2ban”) event.flexString2=body event.flexString2Label=__stringConstant(“raw”) event.name=type event.message=body submessage.messageid.token=type submessage.token=body submessage.count=1 submessage[0].messageid=fail2ban submessage[0].pattern.count=1 #2020-12-01 06:23:17,883 fail2ban.filter [893]: INFO [sshd] Found 1.1.1.1 – 2020-12-01 06:23:17 submessage[0].pattern[0].regex=(\\d+\\-\\d+\\-\\d+\\s+\\d+\\:\\d+\\:\\d+\\,\\d+)\\s+([^\\s]+)\\s+\\[(\\d+)\\]\\:\\s+(\\w+)\\s+\\[([^]]+)\\]\\s+((Found|Ban|Unban)?\\s+(\\d+.\\d+.\\d+.\\d+)?.*) submessage[0].pattern[0].mappings=$1|$2|$3|$4|$5|$6|$7|$8 submessage[0].pattern[0].fields=event.deviceCustomString1,event.name,event.deviceCustomString4,event.deviceSeverity,event.targetProcessName,event.message,event.deviceAction,event.attackerAddress submessage[0].pattern[0].extramappings=event.name\=__concatenate($2,” “,$5)|event.deviceSeverity=__toLowerCase($4)|event.deviceCustomString1Label=__stringConstant(“time_local”)|event.deviceCustomString4Label=__stringConstant(“pid”) #$1 – event.deviceCustomString1 – time_local #$2 – event.name… Continue reading Arcsight flexConnector for Fail2Ban