Hi Board.
I am in a very big hurry for developing a RSA ACE collector script. The
already released RSA ACE Collector script is file based and the RSA ACE
server can dump a CSV log report with an interval of a hour as the
fastest possible interval. This is not at all satisfying for the
customer which - due to the latest issue with hacking attacks on EMC's
network both announced in the press and by letter from EMC and to their
customers - is not at all acceptable. They need to have logic for
pattern searches and correlation rules that can respond as close to real
time as possible.

We have with success and without any troubles or big efforts installed
the SNARE agent on the RSA ACE Appliance box. We are receiving the
events from the RSA server correctly (or we are receiving the events as
unsupported events because the events is not parsed correctly, but all
the needed information is there) and I have started development of a new
Collector script based on the Generic Event Collector (Just
doubleclicked on New Collector script in the Ant menu).

So far I have tryed some different approaches. I know that I can totaly
manipulate with the events received from the Source because I can
pre-set values via the protoEvt.map file. Even further have I been able
to set some other values in the Parse function by using the rec2Evt.map
and then hardcode a value to the desired field by using
Therefor I am pretty convinced that I am on the right track.

Now here is my question:

Based on this copy-pasted s_RXBufferString value (IP addresses and
host+domain values changed for protecting the customer):

Mar 26 05:48:12 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617

*NB!* Swap out [tab] with tablulator delimiter!

I have tryed this approach (this is the entire Parse Functiomn):

var ValueArray = this.s_RXBufferString.split("\\t");
rec.msg = this.s_RXBufferString;

var SourceInfo = ValueArray[0];
rec.sun = ValueArray[1];
//e.InitServiceName = ValueArray[1];
//rec.Service = ValueArray[1];

//e.EventTime = ValueArray[5];
//rec.EvtTime = ValueArray[5];
//e.VendorEventCode = ValueArray[6];
rec.evtCode = ValueArray[6];

e.DeviceName = ValueArray[7];
rec.sun = ValueArray[8];
//e.EffectiveUserID = ValueArray[8];
//var OSInitUser = ValueArray[8];
//e.InitHostName = ValueArray[11];
rec.shd = ValueArray[11];
//ValueArray[12] = ValueArray[12].ltrim();

var AppSpecificMessage = '';

for(var t = 12; t<count(ValueArray); t+1)
AppSpecificMessage += ValueArray[t];

//e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");

var A = AppSpecificMessage.search('\(.+\)');

//e.EventName = 'Debugging RSA';

//e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();

AppSpecificMessage = AppSpecificMessage.match('\(.+\)');

// var B = AppSpecificMessage.search(')');
//var B = AppSpecificMessage.search(')');
// var BaseInfo = AppSpecificMessage.substring(A+1,B-1);

// var BaseTmpArray = BaseInfo.split(';');
// var BaseArray = new Array();

/*for(var i = 0; i<count(BaseTmpArray); i+1)
var str = BaseTmpArray[i].ltrim();
var TempAr = str.split(':');

/*var AgentArr = BaseArray[6].split(".");

e.InitHostDomain = AgentArr.join(".");
//rec.InitDomain = AgentArr.join(".");
e.InitHostDomain = "corp.ad.local";

if (ValueArray[10] == "Information")
rec.sev = "0";
//e.Severity = "0";
else if (ValueArray[10] == "Warning")
rec.sev = "3";
//e.Severity = "3";
else if (ValueArray[10] == "Error")
rec.sev = "4"
//e.Severity = "4";
rec.sev = "1";
//e.Severity = "1";

//e.InitUserID = BaseArray[0];
rec.LoginName = BaseArray[0];

//e.InitUserName = BaseArray[1];
rec.UserName = BaseArray[1];
//e.customerVar35 = BaseArray[2];
//rec.Token = BaseArray[2];
//e.customerVar36 = BaseArray[5];
//rec.Agent = BaseArray[5];

instance.SEND_EVENT = true;

// parsing logic goes here
/*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
instance.SEND_EVENT = true;
// If you can't parse...
return true;

But it just laughs at me and wont work. It states that there is a
parsing error: match function something with input.

Can you please help me build a logic that will work as intended? It
should be clear what information or which piece of the text that I try
map to which Event fields (look at the outcommented bits right above or
below the ones that point to a rec.something because there I have tryed
just map the information directly).

kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=435715