Hello,

I'm trying to add support for Freeradius to the SLES collector by adding
a parse-radiusd function to a custom.js file.

A couple of questions:

1) What is the proper way to extend the taxonomy.map file? Right now I'm
adding all XDAS data in custom.js instead of using e.setTaxKey:

e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
e.XDASOutcomeName = "XDAS_OUT_SUCCESS";
e.XDASOutcome = "0";
e.XDASDetail = "0";
e.XDASIdentifier = "4";
e.XDASClass = "2";
e.XDASProvider = "0";
e.XDASRegistry = "0";

I don't want to edit the taxonomy.map directly since I don't want to
lose changes when the collector is upgraded.

2) How do I enable my event for Identity Tracking?

I have previously made a custom.js for the NetIQ Universal Event
collector for parsing OpenVPN events and I was able to get IdT working
by just adding e.InitiatorUserName and e.InitiatorUserDomain to the event.

The issue I'm having with the custom.js for the SLES collector is that
setting those fields has no effect at all, they don't show up when I
look at the processed event in the Sentinel Web UI.

Instead I have to set this.sun, this.iud.

That makes those fields show up in the Web UI but the events are not
enriched by Identity Tracking so I have to be missing something else.

Here is the entire function as it looks right now:

Record.prototype["parse-radiusd"] = function(message, e) {

e.XDASClass = "2";
e.XDASProvider = "0";
e.XDASRegistry = "0";


if (/Login OK/.test(message)) {

e.InitiatorUserName = message.replace(/.+\[(.+)\/.+/,'$1');
this.sun = message.replace(/.+\[(.+)\/.+/,'$1');
this.iud = "\\meta\\users";//2014-12-25, test av Identity Tracking
this.i_syslog_severity = 3;
this.evt = "RADIUS Login";
e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
e.XDASOutcomeName = "XDAS_OUT_SUCCESS";
e.XDASOutcome = "0";
e.XDASDetail = "0";
e.XDASIdentifier = "4";
} else if (/Login incorrect/.test(message)) {

this.sun = message.replace(/.+\[(.+)\/.+/,'$1');
this.evt = "RADIUS Login";
e.XDASTaxonomyName = "XDAS_AE_AUTHENTICATE_ACCOUNT";
e.XDASOutcomeName = "XDAS_OUT_DENIAL";
e.XDASOutcome = "2";
e.XDASDetail = "0";
e.XDASIdentifier = "4";
this.iud = "\\meta\\users";

this.i_syslog_severity = 0;
}


return true;

};