Hello,

I'm trying to override the SourceIP and TargetIP fields in the Universal
Collector using custom.js but I always get the IP of the Syslog source,
in this case the Firewall.

From the event below I would expect that the SourceIP would be
194.236.49.69 and not 192.168.0.1.

My code looks like this:


Code:
--------------------
Record.prototype["parse-kernel"] = function(message, e) {
if (e.ReporterIP == "192.168.0.1") {
e.ProductName = "TomatoShibby";
e.ObserverCategory = "FW";

if (/^DROP/.test(message)) {
if (message.indexOf("MACSRC") != -1) {
e.SourceMAC = message.replace(/.+MACSRC=(.+?)\s.+/, '$1');
}
if (message.indexOf("MACDST") != -1) {
e.TargetMAC = message.replace(/.+MACDST=(.+?)\s.+/, '$1');
}
if (message.indexOf("SRC") != -1) {
var sip = message.replace(/.+SRC=(.+?)\s.+/, '$1');
e.SourceIP = sip;
e.sip = sip;
}
if (message.indexOf("DST") != -1) {
var dip = message.replace(/.+DST=(.+?)\s.+/, '$1');
e.TargetIP = dip;
e.dip = dip;
}
if (message.indexOf("PROTO") != -1) {
e.Protocol = message.replace(/.+PROTO=(.+?)\s.+/, '$1');
}
if (message.indexOf("SPT") != -1) {
e.SourcePort = message.replace(/.+SPT=(.+?)\s.+/, '$1');
}
if (message.indexOf("DPT") != -1) {
e.TargetPort = message.replace(/.+DPT=(.+?)\s.+/, '$1');
}

}

}
return true;
};
--------------------



The message looks like this:


Code:
--------------------
{"s_AppId":"kernel","i_syslog_priority":"12","CONN ECTION_METHOD":"SYSLOG","i_Hour":"15","i_RXBufferL ength":"230","CONNECTION_MODE":"map","s_Process":n ull,"s_RV25":"29CA7B51-14B3-1032-9AB2-000C29706422","s_RV24":"E421DE69-9DD2-1031-AB1A-000C29706422","i_Type":"0","i_Second":"42","s_RV23 ":"C8A20747-6197-1031-B975-000C29706422","s_RV22":"CAA27753-2911-1031-8E0A-000C29706422","s_Version":"2011.1r4-201407092447-release","s_RXBufferString":"Sep 02 15:56:42 192.168.0.1 kernel: DROP IN=vlan2 OUT= MACSRC=00:0f:34:b2:fb:c0 MACDST=bc:ee:7b:c4:eb:81 MACPROTO=0800 SRC=194.236.49.69 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=120 ID=3311 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=5","s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","s_Body":"kernel: DROP IN=vlan2 OUT= MACSRC=00:0f:34:b2:fb:c0 MACDST=bc:ee:7b:c4:eb:81 MACPROTO=0800 SRC=194.236.49.69 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=120 ID=3311 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=5","s_chainId":"1409666125898","i_milliseconds ":"1409666202000","s_raw_message2":"<12>Sep 2 15:56:42 kernel: DROP IN=vlan2 OUT= MACSRC=00:0f:34:b2:fb:c0 MACDST=bc:ee:7b:c4:eb:81 MACPROTO=0800 SRC=194.236.49.69 DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=120 ID=3311 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=5","s_MessageOriginatorPort":"51278","i_Minute ":"56","s_Date":"Sep 02 15:56:42","i_TrustDeviceTime":"","i_DayOfMonth":"2 ","s_chainSequence":"1","i_Year":"2014","s_sha256H ash":"628ec25700ae36aa708cf8f87f9bcfb383d3952aba61 a70e8740e9d05bea9a5b","s_SyslogRelayIp":"192.168.0 .1","s_MessageOriginatorHost":"192.168.0.1","s_Pid ":null,"i_Month":"8","i_syslog_facility":"1","i_sy slog_severity":"4"}

--------------------


--
alekz
------------------------------------------------------------------------
alekz's Profile: https://forums.netiq.com/member.php?userid=974
View this thread: https://forums.netiq.com/showthread.php?t=51655