regex=(openvpn)\\[.*\\]:\\s(.*) token.count=2 token[0].name=type token[0].type=String token[1].name=body token[1].type=String event.deviceVendor=__stringConstant(“openvpn”) event.deviceProduct=__stringConstant(“openvpn”) event.sourceUserPrivileges=__stringConstant(“openvpn”) event.deviceProcessName=__stringConstant(“openvpn”) event.flexString2=body event.name=type event.message=body submessage.messageid.token=type submessage.token=body submessage.count=1 submessage[0].messageid=openvpn submessage[0].pattern.count=3 submessage[0].pattern[0].regex=([^\\/]+)\\/(\\d+.\\d+.\\d+.\\d+):(\\d+)\\s+(.*) submessage[0].pattern[0].mappings=$1|$2|$3|$4 submessage[0].pattern[0].fields=event.targetUserName,event.attackerAddress,event.attackerPort,event.message submessage[0].pattern[1].regex=(\\d+.\\d+.\\d+.\\d+):(\\d+)\\s+(.*) submessage[0].pattern[1].mappings=$1|$2|$3 submessage[0].pattern[1].fields=event.attackerAddress,event.attackerPort,event.message submessage[1].pattern.count=1 submessage[1].pattern[0].regex=(.*) submessage[1].pattern[0].fields=event.message submessage[1].pattern[0].extramappings=event.reason=__stringConstant(“unparsed”)
Arcsight flexConnector for openVPN
Posted on