├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── CODE_OF_CONDUCT.md ├── Cohesity_Backup_Extractions ├── Dell_EMC_VMAX_Unity_Extractors ├── LICENSE.md ├── README.md ├── cisco_ucs_extractors ├── cohesity.json ├── content_pack.json ├── vmware7_extraction └── vmware_esxi_extractors /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at dave@icnsolutions.net. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /Cohesity_Backup_Extractions: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | 4 | 7pm / 12 am 5 | 6 | { 7 | "title": "Cohesity connection status", 8 | "extractor_type": "grok", 9 | "converters": [], 10 | "order": 0, 11 | "cursor_strategy": "copy", 12 | "source_field": "message", 13 | "target_field": "", 14 | "extractor_config": { 15 | "grok_pattern": "\\: Received disconnect from %{IPV4} port %{DATA:cohesity_port}\\:%{DATA:cohesity_port2}\\: %{DATA:cohesity_connection_status} by user" 16 | }, 17 | "condition_type": "none", 18 | "condition_value": "" 19 | }, 20 | { 21 | "title": "Cohesity login connectivity status", 22 | "extractor_type": "grok", 23 | "converters": [], 24 | "order": 0, 25 | "cursor_strategy": "copy", 26 | "source_field": "message", 27 | "target_field": "", 28 | "extractor_config": { 29 | "grok_pattern": "\\: %{DATA:unix_connection_status} from %{IPV4} port %{GREEDYDATA:cohesity_port} ssh2\\: RSA %{DATA:cohesity_rsa_encryption}\\:%{GREEDYDATA:cohesity_rsa_encryption_key}" 30 | }, 31 | "condition_type": "none", 32 | "condition_value": "" 33 | }, 34 | { 35 | "title": "Cohesity PAM fail lock", 36 | "extractor_type": "grok", 37 | "converters": [], 38 | "order": 0, 39 | "cursor_strategy": "copy", 40 | "source_field": "message", 41 | "target_field": "", 42 | "extractor_config": { 43 | "grok_pattern": "%{DATA:unix_pam_module}\\(%{DATA:unix_service}\\:%{DATA:unix_service_pam}\\)\\: User unknown" 44 | }, 45 | "condition_type": "none", 46 | "condition_value": "" 47 | }, 48 | { 49 | "title": "Cohesity pam auth status with uid", 50 | "extractor_type": "grok", 51 | "converters": [], 52 | "order": 0, 53 | "cursor_strategy": "copy", 54 | "source_field": "message", 55 | "target_field": "", 56 | "extractor_config": { 57 | "grok_pattern": "\\: %{DATA:unix_pam_module}\\(%{DATA:unix_service}\\:%{DATA:unix_service_pam}\\)\\: session %{DATA:pam_module_status} for user %{DATA:username} by \\(uid=%{DATA:unix_uid_id}\\)" 58 | }, 59 | "condition_type": "none", 60 | "condition_value": "" 61 | }, 62 | { 63 | "title": "Cohesity pam auth status", 64 | "extractor_type": "grok", 65 | "converters": [], 66 | "order": 0, 67 | "cursor_strategy": "copy", 68 | "source_field": "message", 69 | "target_field": "", 70 | "extractor_config": { 71 | "grok_pattern": "\\: %{DATA:unix_pam_module}\\(%{DATA:unix_service}\\:%{DATA:unix_service_pam}\\)\\: session %{DATA:pam_module_status} for user %{DATA:username}" 72 | }, 73 | "condition_type": "none", 74 | "condition_value": "" 75 | }, 76 | { 77 | "title": "Cohesity password", 78 | "extractor_type": "grok", 79 | "converters": [], 80 | "order": 0, 81 | "cursor_strategy": "copy", 82 | "source_field": "message", 83 | "target_field": "", 84 | "extractor_config": { 85 | "grok_pattern": "\\: %{DATA:password_status} %{DATA:password_type} for %{DATA:username} from %{IPV4} port %{DATA:cohesity_port} ssh2" 86 | }, 87 | "condition_type": "none", 88 | "condition_value": "" 89 | }, 90 | 91 | { 92 | "title": "Cohesity failed password", 93 | "extractor_type": "grok", 94 | "converters": [], 95 | "order": 0, 96 | "cursor_strategy": "copy", 97 | "source_field": "message", 98 | "target_field": "", 99 | "extractor_config": { 100 | "grok_pattern": "\\: %{DATA:password_status}password for invalid user %{DATA:username} from %{IPV4} port %{DATA:cohesity_port} ssh2" 101 | }, 102 | "condition_type": "none", 103 | "condition_value": "" 104 | }, 105 | { 106 | "title": "Cohesity ssh user , ip, and port", 107 | "extractor_type": "grok", 108 | "converters": [], 109 | "order": 0, 110 | "cursor_strategy": "copy", 111 | "source_field": "message", 112 | "target_field": "", 113 | "extractor_config": { 114 | "grok_pattern": "for %{DATA:username} from %{IPV4} port %{DATA:cohesity_port} ssh2\\:" 115 | }, 116 | "condition_type": "none", 117 | "condition_value": "" 118 | }, 119 | { 120 | "title": "Cohesity Backup Extraction", 121 | "extractor_type": "grok", 122 | "converters": [], 123 | "order": 0, 124 | "cursor_strategy": "copy", 125 | "source_field": "message", 126 | "target_field": "", 127 | "extractor_config": { 128 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\{\"EntityType\" : \"kVMware\", \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\]\\, \"ReplicationTarget\" \\: \\{\"ClusterId\" \\: \"%{DATA:cohesity_repliation_cluster_id}\", \"ClusterName\" \\: \"%{DATA:cohesity_replication_target_hostname}\"\\}, \"AttributeMap\" \\: \\{\"%{DATA:cohesity_attribute_name}\" : \"%{DATA:cohesity_attribute_number}\"\\}\\}" 129 | }, 130 | "condition_type": "none", 131 | "condition_value": "" 132 | }, 133 | { 134 | "title": "Cohesity Backup Failure Extraction ORACLE Error 2", 135 | "extractor_type": "grok", 136 | "converters": [], 137 | "order": 0, 138 | "cursor_strategy": "copy", 139 | "source_field": "message", 140 | "target_field": "", 141 | "extractor_config": { 142 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\"\\, \"Entities\" \\: \\[\\], \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\", \"ErrorMessage\" \\: \"%{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\\}\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{\"%{DATA:cohesity_attribute_name}\" : %{DATA:cohesity_attrib_number}\\}\\}" 143 | }, 144 | "condition_type": "none", 145 | "condition_value": "" 146 | }, 147 | { 148 | "title": "Cohesity Backup Failure Extraction ORACLE Error 3", 149 | "extractor_type": "grok", 150 | "converters": [], 151 | "order": 0, 152 | "cursor_strategy": "copy", 153 | "source_field": "message", 154 | "target_field": "", 155 | "extractor_config": { 156 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\"\\, \"Entities\" \\: \\[\\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\"\\, \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\], \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\"\\, \"ErrorMessage\" \\: \"%{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\\}\\, \"TaskId\" \\: \\\"%{GREEDYDATA:cohesity_task_id}" 157 | }, 158 | "condition_type": "none", 159 | "condition_value": "" 160 | }, 161 | { 162 | "title": "Cohesity Backup Tasks", 163 | "extractor_type": "grok", 164 | "converters": [], 165 | "order": 0, 166 | "cursor_strategy": "copy", 167 | "source_field": "message", 168 | "target_field": "", 169 | "extractor_config": { 170 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\{\"EntityType\" : \"kVMware\", \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\]\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{\\}\\}" 171 | }, 172 | "condition_type": "none", 173 | "condition_value": "" 174 | }, 175 | { 176 | "title": "Cohesity Backup Replication Extraction", 177 | "extractor_type": "grok", 178 | "converters": [], 179 | "order": 0, 180 | "cursor_strategy": "copy", 181 | "source_field": "message", 182 | "target_field": "", 183 | "extractor_config": { 184 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\{\"EntityType\" : \"kVMware\", \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\]\\, \"ReplicationTarget\" \\: \\{\"ClusterId\" \\: \"%{DATA:cohesity_repliation_cluster_id}\", \"ClusterName\" \\: \"%{DATA:cohesity_replication_target_hostname}\"\\}, \"AttributeMap\" \\: \\{\\}\\}" 185 | }, 186 | "condition_type": "none", 187 | "condition_value": "" 188 | }, 189 | { 190 | "title": "Cohesity Backup Tasks 2", 191 | "extractor_type": "grok", 192 | "converters": [], 193 | "order": 0, 194 | "cursor_strategy": "copy", 195 | "source_field": "message", 196 | "target_field": "", 197 | "extractor_config": { 198 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" : \"%{DATA:cohesity_backup_job_id_number}\"\\, \"Entities\" \\: \\[\\]\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{\"%{DATA:cohesity_attribute_name}\" : %{DATA:cohesity_attrib_number}\\}\\}" 199 | }, 200 | "condition_type": "none", 201 | "condition_value": "" 202 | }, 203 | { 204 | "title": "Cohesity Backup Failure Extraction", 205 | "extractor_type": "grok", 206 | "converters": [], 207 | "order": 0, 208 | "cursor_strategy": "copy", 209 | "source_field": "message", 210 | "target_field": "", 211 | "extractor_config": { 212 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\{\"EntityType\" : \"kVMware\", \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\], \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\"\\, \"ErrorMessage\" \\: \"\\[Code %{DATA:COHESITY_ERROR_CODE_NUMBER}\\] %{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\\\"}\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{}\\}" 213 | }, 214 | "condition_type": "none", 215 | "condition_value": "" 216 | }, 217 | { 218 | "title": "Cohesity Archival backup Extraction ", 219 | "extractor_type": "grok", 220 | "converters": [], 221 | "order": 0, 222 | "cursor_strategy": "copy", 223 | "source_field": "message", 224 | "target_field": "", 225 | "extractor_config": { 226 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\]\\, \"%{DATA:cohesity_archival_target}\\\" \\: \\{\"Type\" \\: \"%{DATA:cohesity_archivaltarget_type}\"\\, \"Name\" \\: \"%{DATA:cohesity_archival_name}\"\\}\\, \"AttributeMap\" \\: \\{\\}\\}" 227 | }, 228 | "condition_type": "none", 229 | "condition_value": "" 230 | }, 231 | { 232 | "title": "Cohesity Backup Failure Extraction ORACLE Error", 233 | "extractor_type": "grok", 234 | "converters": [], 235 | "order": 0, 236 | "cursor_strategy": "copy", 237 | "source_field": "message", 238 | "target_field": "", 239 | "extractor_config": { 240 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\"\\, \"Entities\" \\: \\[\\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\"\\, \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\], \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\"\\, \"ErrorMessage\" \\: \"%{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\\}\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{}\\}" 241 | }, 242 | "condition_type": "none", 243 | "condition_value": "" 244 | }, 245 | { 246 | "title": "Cohesity Backup Failure Extraction 3", 247 | "extractor_type": "grok", 248 | "converters": [], 249 | "order": 0, 250 | "cursor_strategy": "copy", 251 | "source_field": "message", 252 | "target_field": "", 253 | "extractor_config": { 254 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\]\\, \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\"\\, \"ErrorMessage\" \\: %{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\\}\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{\"%{DATA:cohesity_attribute_name}\" : %{DATA:cohesity_attrib_number}\\}\\}" 255 | }, 256 | "condition_type": "none", 257 | "condition_value": "" 258 | }, 259 | { 260 | "title": "Cohesity Backup Failure Extraction 2", 261 | "extractor_type": "grok", 262 | "converters": [], 263 | "order": 0, 264 | "cursor_strategy": "copy", 265 | "source_field": "message", 266 | "target_field": "", 267 | "extractor_config": { 268 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\]\\, \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\"\\, \"ErrorMessage\" \\: \"\\[Code %{DATA:COHESITY_ERROR_CODE_NUMBER}\\] %{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\\\"}\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{\"%{DATA:cohesity_attribute_name}\" : %{DATA:cohesity_attrib_number}\\}\\}" 269 | }, 270 | "condition_type": "none", 271 | "condition_value": "" 272 | }, 273 | { 274 | "title": "Cohesity Error Entity Global extraction ", 275 | "extractor_type": "grok", 276 | "converters": [], 277 | "order": 0, 278 | "cursor_strategy": "copy", 279 | "source_field": "message", 280 | "target_field": "", 281 | "extractor_config": { 282 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"ClusterInfo\" : \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}, \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" : \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\], \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\", \"ErrorMessage\" : \"%{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}\"}\\, \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{\"%{DATA:cohesity_attribute_name}\" : %{DATA:cohesity_attrib_number}\\}\\}" 283 | }, 284 | "condition_type": "none", 285 | "condition_value": "" 286 | }, 287 | { 288 | "title": "Cohesity Backup Failure Extraction MSSQLSERVER", 289 | "extractor_type": "grok", 290 | "converters": [], 291 | "order": 0, 292 | "cursor_strategy": "copy", 293 | "source_field": "message", 294 | "target_field": "", 295 | "extractor_config": { 296 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"ClusterInfo\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\]\\, \"Error\" \\: \\{\"ErrorCode\" \\: \"%{DATA:COHESITY_ERROR_CODE}\" : \"%{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}" 297 | }, 298 | "condition_type": "none", 299 | "condition_value": "" 300 | }, 301 | { 302 | "title": "Cohesity Backup Failure Extraction MSSQLSERVER 2", 303 | "extractor_type": "grok", 304 | "converters": [], 305 | "order": 0, 306 | "cursor_strategy": "copy", 307 | "source_field": "message", 308 | "target_field": "", 309 | "extractor_config": { 310 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \"ClusterInfo\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" : \\[], \"Error\" : \\{\"ErrorCode\" : %{DATA:COHESITY_ERROR_CODE}, \"ErrorMessage\" : \"%{GREEDYDATA:COHESITY_ERROR_MESSAGE}Please" 311 | }, 312 | "condition_type": "none", 313 | "condition_value": "" 314 | }, 315 | { 316 | "title": "Cohesity Oracle Pass ", 317 | "extractor_type": "grok", 318 | "converters": [], 319 | "order": 0, 320 | "cursor_strategy": "copy", 321 | "source_field": "message", 322 | "target_field": "", 323 | "extractor_config": { 324 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" : \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_environment_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}\\, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\"\\, \"Entities\" \\: \\[\\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\"\\, \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\], \"TaskId\" \\: \"%{DATA:cohesity_task_id}\"\\, \"AttributeMap\" \\: \\{}\\}" 325 | }, 326 | "condition_type": "none", 327 | "condition_value": "" 328 | }, 329 | 330 | { 331 | "title": "Cohesity Backup Failure Extraction ORACLE Error 5 ", 332 | "extractor_type": "grok", 333 | "converters": [], 334 | "order": 0, 335 | "cursor_strategy": "copy", 336 | "source_field": "message", 337 | "target_field": "", 338 | "extractor_config": { 339 | "grok_pattern": "%{HOSTNAME} %{DATA:cohesity_syslog_type}: \\{\"EventMessage\" : \"%{DATA:cohesity_event_message_type}\\\"\\, \"Timestamp\" \\: \"%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\\.%{DATA:NANOSECOND}%{ISO8601_TIMEZONE}\"\\, \\\"ClusterInfo\\\" \\: \\{\"ClusterId\" : \"%{DATA:cohesity_cluster_id}\\\", \"ClusterName\" : \"%{DATA:cohesity_cluster_name}\"\\}, \"EventType\" \\: %{DATA:cohesity_event_type}, \"EnvironmentType\" \\: %{DATA:cohesity_environment_type}, \"RegisteredSource\" \\: \\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\", \"EntityId\" : \"%{DATA:cohesity_entity_id}\", \"EntityName\" \\: \"%{DATA:cohesity_backup_vcenter_name}\"\\}, \"BackupJobName\" \\: \"%{DATA:cohesity_backup_job_name}\"\\, \"BackupJobId\" \\: \"%{DATA:cohesity_backup_job_id_number}\", \"Entities\" \\: \\[\\{\"EntityType\" \\: \"%{DATA:cohesity_entity_type}\"\\, \"EntityId\" \\: \"%{DATA:cohesity_backup_entity_id}\\, \"EntityName\" \\: \"%{DATA:cohesity_entity_hostname}\"}\\], \"Error\" \\: \\{\"ErrorCode\" \\: \"kAgentError\", \"ErrorMessage\" \\: \"\\[kOracleCmdError]\\: %{GREEDYDATA:COHESITY_ERROR_CODE_MESSAGE}" 340 | }, 341 | "condition_type": "none", 342 | "condition_value": "" 343 | } 344 | 345 | 346 | ], 347 | "version": "4.0.1" 348 | } 349 | -------------------------------------------------------------------------------- /Dell_EMC_VMAX_Unity_Extractors: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "VMAX item has changed RegEX", 5 | "extractor_type": "regex", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "VMAX_quick_config", 11 | "extractor_config": { 12 | "regex_value": "= (.+?) has changed." 13 | }, 14 | "condition_type": "none", 15 | "condition_value": "" 16 | }, 17 | 18 | { 19 | "title": "VMAX Device state has changed to Not Present", 20 | "extractor_type": "grok", 21 | "converters": [], 22 | "order": 0, 23 | "cursor_strategy": "copy", 24 | "source_field": "message", 25 | "target_field": "", 26 | "extractor_config": { 27 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Device=%{DATA:emc_var_device_name}\\] \\[sev=%{DATA:emc_var_severity}\\] = Device state has changed to Not Present." 28 | }, 29 | "condition_type": "none", 30 | "condition_value": "" 31 | }, 32 | { 33 | "title": "EMC Director status", 34 | "extractor_type": "grok", 35 | "converters": [], 36 | "order": 0, 37 | "cursor_strategy": "copy", 38 | "source_field": "message", 39 | "target_field": "", 40 | "extractor_config": { 41 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Director=%{DATA:emc_director_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Director state has changed to %{GREEDYDATA:emc_port_status}." 42 | }, 43 | "condition_type": "none", 44 | "condition_value": "" 45 | }, 46 | { 47 | "title": "EMC VMAX Port ID", 48 | "extractor_type": "grok", 49 | "converters": [], 50 | "order": 0, 51 | "cursor_strategy": "copy", 52 | "source_field": "message", 53 | "target_field": "", 54 | "extractor_config": { 55 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Port=%{DATA:emc_port_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Port state has changed to %{GREEDYDATA:emc_port_status}." 56 | }, 57 | "condition_type": "none", 58 | "condition_value": "" 59 | }, 60 | { 61 | "title": "EMC VMAX Director Not Responding", 62 | "extractor_type": "grok", 63 | "converters": [], 64 | "order": 0, 65 | "cursor_strategy": "copy", 66 | "source_field": "message", 67 | "target_field": "", 68 | "extractor_config": { 69 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Director=%{DATA:emc_director_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Director not responding." 70 | }, 71 | "condition_type": "none", 72 | "condition_value": "" 73 | }, 74 | { 75 | "title": "EMC VMAX DIsk Director Not responding", 76 | "extractor_type": "grok", 77 | "converters": [], 78 | "order": 0, 79 | "cursor_strategy": "copy", 80 | "source_field": "message", 81 | "target_field": "", 82 | "extractor_config": { 83 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Director=%{DATA:emc_director_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Disk director not responding." 84 | }, 85 | "condition_type": "none", 86 | "condition_value": "" 87 | }, 88 | { 89 | "title": "EMC VMAX Director is Dead!", 90 | "extractor_type": "grok", 91 | "converters": [], 92 | "order": 0, 93 | "cursor_strategy": "copy", 94 | "source_field": "message", 95 | "target_field": "", 96 | "extractor_config": { 97 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Director=%{DATA:emc_director_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Director state has changed to Dead." 98 | }, 99 | "condition_type": "none", 100 | "condition_value": "" 101 | }, 102 | { 103 | "title": "EMC VMAX Disk Error ", 104 | "extractor_type": "grok", 105 | "converters": [], 106 | "order": 0, 107 | "cursor_strategy": "copy", 108 | "source_field": "message", 109 | "target_field": "", 110 | "extractor_config": { 111 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}] \\[Disk\\=%{DATA:emc_disk_device}\\] \\[sev=%{DATA:emc_var_severity}\\] \\= %{GREEDYDATA:emc_disk_error_message}" 112 | }, 113 | "condition_type": "none", 114 | "condition_value": "" 115 | }, 116 | { 117 | "title": "EMC VMAX lock message", 118 | "extractor_type": "grok", 119 | "converters": [], 120 | "order": 0, 121 | "cursor_strategy": "copy", 122 | "source_field": "message", 123 | "target_field": "", 124 | "extractor_config": { 125 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[SEL=%{DATA:emc_sel_event_id}\\] = %{GREEDYDATA:emc_disk_error_message}" 126 | }, 127 | "condition_type": "none", 128 | "condition_value": "" 129 | }, 130 | { 131 | "title": "EMC VMAX general warning", 132 | "extractor_type": "grok", 133 | "converters": [], 134 | "order": 0, 135 | "cursor_strategy": "copy", 136 | "source_field": "message", 137 | "target_field": "", 138 | "extractor_config": { 139 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = %{GREEDYDATA:emc_disk_error_message}" 140 | }, 141 | "condition_type": "none", 142 | "condition_value": "" 143 | }, 144 | { 145 | "title": "VMAX license has changed", 146 | "extractor_type": "grok", 147 | "converters": [], 148 | "order": 0, 149 | "cursor_strategy": "copy", 150 | "source_field": "message", 151 | "target_field": "", 152 | "extractor_config": { 153 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[License=%{DATA:vmax_license}\\] \\[sev=%{DATA:emc_var_severity}\\] = %{DATA:VMAX_quick_config} License has changed" 154 | }, 155 | "condition_type": "none", 156 | "condition_value": "" 157 | }, 158 | { 159 | "title": "EMC VMAX Effective used capacity for SRP", 160 | "extractor_type": "grok", 161 | "converters": [], 162 | "order": 0, 163 | "cursor_strategy": "copy", 164 | "source_field": "message", 165 | "target_field": "", 166 | "extractor_config": { 167 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[FastSRP=%{DATA:emc_var_fastsrp_group}\\] \\[sev=%{DATA:emc_var_severity}\\] = The Effective used capacity for SRP has changed to %{DATA:emc_var_effective_percentage} percent" 168 | }, 169 | "condition_type": "none", 170 | "condition_value": "" 171 | }, 172 | { 173 | "title": "VMAX data device pool is almost full", 174 | "extractor_type": "grok", 175 | "converters": [], 176 | "order": 0, 177 | "cursor_strategy": "copy", 178 | "source_field": "message", 179 | "target_field": "", 180 | "extractor_config": { 181 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Save or data device pool is almost full." 182 | }, 183 | "condition_type": "none", 184 | "condition_value": "" 185 | }, 186 | { 187 | "title": "VMAX service processor Unable to call Home ", 188 | "extractor_type": "grok", 189 | "converters": [], 190 | "order": 0, 191 | "cursor_strategy": "copy", 192 | "source_field": "message", 193 | "target_field": "", 194 | "extractor_config": { 195 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Service Processor could not complete a call for service." 196 | }, 197 | "condition_type": "none", 198 | "condition_value": "" 199 | }, 200 | { 201 | "title": "VMAX Back-End metadata usage", 202 | "extractor_type": "grok", 203 | "converters": [], 204 | "order": 0, 205 | "cursor_strategy": "copy", 206 | "source_field": "message", 207 | "target_field": "", 208 | "extractor_config": { 209 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Back-End metadata usage has changed to %{BASE10NUM:emc_var_backend_meta_usage} percent." 210 | }, 211 | "condition_type": "none", 212 | "condition_value": "" 213 | }, 214 | { 215 | "title": "EMC VMAX Array state Change ", 216 | "extractor_type": "grok", 217 | "converters": [], 218 | "order": 0, 219 | "cursor_strategy": "copy", 220 | "source_field": "message", 221 | "target_field": "", 222 | "extractor_config": { 223 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Array state has changed to %{WORD:emc_var_array_status}." 224 | }, 225 | "condition_type": "none", 226 | "condition_value": "" 227 | }, 228 | { 229 | "title": "EMC VMAX device configuration checksum", 230 | "extractor_type": "grok", 231 | "converters": [], 232 | "order": 0, 233 | "cursor_strategy": "copy", 234 | "source_field": "message", 235 | "target_field": "", 236 | "extractor_config": { 237 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Device=%{DATA:emc_var_device_name}\\] \\[sev=%{DATA:emc_var_severity}\\] = The device configuration checksum has changed." 238 | }, 239 | "condition_type": "none", 240 | "condition_value": "" 241 | }, 242 | { 243 | "title": "EMC VMAX SRP maximum capacity change", 244 | "extractor_type": "grok", 245 | "converters": [], 246 | "order": 0, 247 | "cursor_strategy": "copy", 248 | "source_field": "message", 249 | "target_field": "", 250 | "extractor_config": { 251 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[FastSRP=%{DATA:emc_var_fastsrp_group}\\] \\[sev=%{DATA:emc_var_severity}\\] = The SRP maximum capacity has changed to %{BASE16FLOAT:emc_var_srp_max_capacity} GB." 252 | }, 253 | "condition_type": "none", 254 | "condition_value": "" 255 | }, 256 | { 257 | "title": "EMC VMAX Data Pool change event", 258 | "extractor_type": "grok", 259 | "converters": [], 260 | "order": 0, 261 | "cursor_strategy": "copy", 262 | "source_field": "message", 263 | "target_field": "", 264 | "extractor_config": { 265 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[TPDataPool=%{DATA:emc_diskpool_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Data Pool configuration has changed." 266 | }, 267 | "condition_type": "none", 268 | "condition_value": "" 269 | }, 270 | { 271 | "title": "EMC VMAX Data Application Registration event", 272 | "extractor_type": "grok", 273 | "converters": [], 274 | "order": 0, 275 | "cursor_strategy": "copy", 276 | "source_field": "message", 277 | "target_field": "", 278 | "extractor_config": { 279 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Application Registration DB has changed." 280 | }, 281 | "condition_type": "none", 282 | "condition_value": "" 283 | }, 284 | { 285 | "title": "EMC VMAX Array Configuration Event", 286 | "extractor_type": "grok", 287 | "converters": [], 288 | "order": 0, 289 | "cursor_strategy": "copy", 290 | "source_field": "message", 291 | "target_field": "", 292 | "extractor_config": { 293 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Array configuration has changed." 294 | }, 295 | "condition_type": "none", 296 | "condition_value": "" 297 | }, 298 | { 299 | "title": "EMC VMAX Device state Change", 300 | "extractor_type": "grok", 301 | "converters": [], 302 | "order": 0, 303 | "cursor_strategy": "copy", 304 | "source_field": "message", 305 | "target_field": "", 306 | "extractor_config": { 307 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[Device=%{DATA:emc_var_device_name}\\] \\[sev=%{DATA:emc_var_severity}\\] = Device state has changed to %{GREEDYDATA:emc_var_device_state}." 308 | }, 309 | "condition_type": "none", 310 | "condition_value": "" 311 | }, 312 | { 313 | "title": "EMC VMAX Data Pool utilization", 314 | "extractor_type": "grok", 315 | "converters": [], 316 | "order": 0, 317 | "cursor_strategy": "copy", 318 | "source_field": "message", 319 | "target_field": "", 320 | "extractor_config": { 321 | "grok_pattern": "%{DATA:emc_var_month} %{BASE10NUM:emc_var_day} %{DATA:emc_var_utctime} EMCstorevntd: \\[fmt=evt\\] \\[evtid=%{DATA:emc_eventid}\\] \\[date=%{TIMESTAMP_ISO8601:emc_var_timestamp}\\] \\[symid=%{DATA:emc_vmax_id}\\] \\[TPDataPool=%{DATA:emc_diskpool_id}\\] \\[sev=%{DATA:emc_var_severity}\\] = Data Pool utilization is now %{BASE10NUM:emc_var_data_pool_utilization} percent." 322 | }, 323 | "condition_type": "none", 324 | "condition_value": "" 325 | }, 326 | { 327 | "title": "EMC Unity Syslog Event", 328 | "extractor_type": "grok", 329 | "converters": [], 330 | "order": 0, 331 | "cursor_strategy": "copy", 332 | "source_field": "message", 333 | "target_field": "", 334 | "extractor_config": { 335 | "grok_pattern": ": \"%{YEAR}\\-%{MONTHNUM}-%{MONTHDAY}T%{TIME}Z\" \"%{DATA:emc_unity_sp}@%{DATA:emc_unity_serial}\\\" \"%{DATA:emc_unity_management}\" \"%{DATA:emc_unity_message_code}\" \"%{DATA:emc_unity_username}\" \"%{DATA:facility}\" \"%{DATA:emc_unity_message_code_2}\" \\:: \"%{GREEDYDATA:emc_unity_message_code_description}\" \\:: Category=%{DATA:emc_unity_category} Component=%{DATA:emc_unity_component} TimeZone=%{GREEDYDATA:timezone}" 336 | }, 337 | "condition_type": "none", 338 | "condition_value": "" 339 | } 340 | 341 | ], 342 | "version": "4.0.1" 343 | } 344 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | This application is free software: you can redistribute it and/or modify 2 | it under the terms of the GNU General Public License as published by 3 | the Free Software Foundation, either version 3 of the License or 4 | (at your option) any later version. 5 | 6 | This application is distributed in the hope that it will be useful, 7 | but WITHOUT ANY WARRANTY; without even the implied warranty of 8 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 9 | GNU General Public License for more details. 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Broadcom issues - I am no longer supporting this, look to promox! I will be building proxmox extractors with graylog, stay tuned! 2 | # glog vmware content pack and extractors for graylog confirmed tested on 6.x+ graylog-server written for hypervisors and appliance version of vcenter 3 | # Note for VMware 8 and Graylog 6 installations has been tested 4 | Provides Graylog Dashboards for all Hypervisors, Storage performance, DVS Messages, Vmware version, Storage path failures, Host/Device Performance issues, Memory/CPU alerts, Last list of vmotions, MAC to DVS, VMware port group to hypervisor, Last login failures, Last successful logins, Last 2 hours guests attempting network sniffing, TOP LDAP users, and Vmware virtual machines recent changes by users all in a simple to use Dashboard competely customizable! To get the best benefit make sure your graylog instance is configured for syslog UDP, and make sure to use distributed switching within vmware! Have fun! Extractions using GROK, I've not had the time to change this to regex! 5 | 6 | ![image](https://github.com/dcecchino/glog/assets/17807052/5faea0fc-e406-4bf6-a753-d00704fdcbb2) 7 | 8 | 9 | New: Cohesity Extractors and Dashboard for Backups 10 | New: Dell and Cisco UCS Extractions 11 | New: VMware 7 regex extractions 12 | New: Security Extractions 13 | 14 | # READ CAREFULLY (new vcenter 7 extractor should be used for vmware 7/8 only not 6.5, if you use the 6.5 extractors for a 7.0 vcenter instance your buffer processes will fill up very quickly and cause graylog to stop responding, also to install the content pack you have to have a minimum version of 6 15 | 16 | 1. Download content_pack.json and install it under System/Input Content Packs 17 | 2. Download vmware_esxi_extractors (apply to esxi input) or vmware7_extraction (version 7.0 or higher and apply to vcenter input) and import it under the System/Inputs/Manage extractors 18 | 3. It is recommended to apply a dedicated bucket ports/syslog input for vmware to structure your data! 19 | 4. Make sure you point your syslog for both hypervisors and vcenters, start receiving your data. View the Vmware Dashboard. 20 | 5. Wait for your data to start coming in. 21 | 22 | # Enable high port on graylog server iptables 23 | 24 | ``` 25 | iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514 26 | iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514 27 | ``` 28 | 29 | 30 | # Tune your esxi syslog configuration via ssh for VMware version 6.5 AND VMWARE 7.0U3 or LESS!! 31 | 32 | ``` 33 | sed -i 's/verbose/error/g' /etc/vmware/vpxa/vpxa.cfg 34 | sed -i 's/verbose/error/g' /etc/vmware/hostd/config.xml 35 | sed -i 's/verbose/error/g' /etc/vmware/rhttpproxy/config.xml 36 | sed -i 's/verbose/error/g' /etc/opt/vmware/fdm/fdm.cfg 37 | sed -i 's/info/error/g' /etc/vmware/hostd/probe-config.xml 38 | sed -i 's/info/error/g' /etc/vmware/vsan/vsanperf.conf 39 | sed -i 's/verbose/error/g' /etc/vmware/vsan/vsanmgmt-config.xml 40 | sed -i 's/verbose/error/g' /etc/vmware/vsan/vsanesxcmd-config.xml 41 | esxcli system syslog config set --loghost='udp://update_syslog_ip_or_hostname:514' 42 | esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true 43 | esxcli network firewall refresh 44 | /etc/init.d/vmware-fdm restart 45 | /etc/init.d/rhttpproxy restart 46 | /etc/init.d/hostd restart 47 | /etc/init.d/vpxa restart 48 | /etc/init.d/vsantraced restart 49 | /etc/init.d/vsanmgmtd restart 50 | sleep 5 51 | esxcli system syslog reload 52 | ``` 53 | # READ CAREFULLY FOR VMWARE 7 versions greater than 7.0U3 54 | ``` 55 | In previous releases (before ESXi 7.0U3) you may be instructed by other KB article(s) to change some settings of ESXi service "vpxa" by directly editing its configuration file (/etc/vmware/vpxa/vpxa.cfg) manually and restarting the "vpxa" service. 56 | 57 | The settings in the database are accessible by a tool: /bin/configstorecli , changes also apply to hostd 58 | ``` 59 | 60 | 61 | 62 | Slowly migrating to regex from Grok 63 | 64 | 65 | -------------------------------------------------------------------------------- /cisco_ucs_extractors: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "Cisco UCS CIMC Error", 5 | "extractor_type": "grok", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "", 11 | "extractor_config": { 12 | "grok_pattern": "%{DATA:HOSTNAME} fault-engined\\: %{DATA:CISCO_UCS_STATUS_MSG}\\:\\[%{DATA:CISCO_UCS_EVENT_ID}\\]\\[%{DATA:CISCO_UCS_SEVERITY}\\]\\[%{DATA:CISCO_UCS_ERROR_MSG}\\]\\[%{DATA:CISCO_UCS_CHASIS_HW_LOCATION}\\] %{DATA:CISCO_UCS_SYSLOG_HW_MSG}\\:%{GREEDYDATA:CISCO_UCS_SYSLOG_HW_ERROR}" 13 | }, 14 | "condition_type": "none", 15 | "condition_value": "" 16 | }, 17 | { 18 | "title": "Cisco UCS Error Messages", 19 | "extractor_type": "grok", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "", 25 | "extractor_config": { 26 | "grok_pattern": "%UCSM-2-%{DATA:CISCO_UCS_STATUS_MSG}\\: \\[%{DATA:CISCO_UCS_EVENT_ID}\\]\\[%{DATA:CISCO_UCS_SEVERITY}\\]\\[%{DATA:CISCO_UCS_ERROR_MSG}\\]\\[%{DATA:CISCO_UCS_CHASIS_HW_LOCATION}\\] %{GREEDYDATA:CISCO_UCS_FULL_MSG}" 27 | }, 28 | "condition_type": "none", 29 | "condition_value": "" 30 | }, 31 | { 32 | "title": "Cisco UCS CIMC Error 2 ", 33 | "extractor_type": "grok", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "", 39 | "extractor_config": { 40 | "grok_pattern": "\\: %{DATA:application_name}\\:%{DATA:process_id}\\: # %{GREEDYDATA:CIMC_CODE_1} \\# %{DATA:CIMC_CODE_2} %{DATE_US} %{TIME} \\| %{DATA:CIMC_APP_TYPE} \\| %{GREEDYDATA:CISCO_UCS_ERROR_MSG} \\#%{DATA:CIMC_APP_CODE} \\| %{DATA:CISCO_UCS_SYSLOG_HW_ERROR} \\| %{GREEDYDATA:CIMC_STATE}" 41 | }, 42 | "condition_type": "none", 43 | "condition_value": "" 44 | }, 45 | { 46 | "title": "Cisco UCS CIMC Error 3", 47 | "extractor_type": "grok", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "", 53 | "extractor_config": { 54 | "grok_pattern": "%{DATA:application_name}\\:%{DATA:process_id}\\: # %{GREEDYDATA:CIMC_CODE_1} \\# %{DATA:CIMC_CODE_2} %{DATE_US} %{TIME} UTC \\| %{DATA:CIMC_APP_TYPE} \\| %{GREEDYDATA:CISCO_UCS_ERROR_MSG} \\#%{DATA:CIMC_APP_CODE} \\| %{DATA:CISCO_UCS_SYSLOG_HW_ERROR} \\| %{GREEDYDATA:CIMC_STATE}" 55 | }, 56 | "condition_type": "none", 57 | "condition_value": "" 58 | }, 59 | { 60 | "title": "Cisco UCS Error Message 2", 61 | "extractor_type": "grok", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "", 67 | "extractor_config": { 68 | "grok_pattern": "%UCSM-3-%{GREEDYDATA:CISCO_UCS_STATUS_MSG}\\: \\[%{DATA:CISCO_UCS_EVENT_ID}\\]\\[%{DATA:CISCO_UCS_SEVERITY}\\]\\[%{DATA:CISCO_UCS_ERROR_MSG}\\]\\[%{DATA:CISCO_UCS_CHASIS_HW_LOCATION}\\] %{GREEDYDATA:CISCO_UCS_FULL_MSG}" 69 | }, 70 | "condition_type": "none", 71 | "condition_value": "" 72 | }, 73 | { 74 | "title": "UCS Error Message 4", 75 | "extractor_type": "grok", 76 | "converters": [], 77 | "order": 0, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "", 81 | "extractor_config": { 82 | "grok_pattern": "%UCSM-4-%{GREEDYDATA:CISCO_UCS_STATUS_MSG}\\: \\[%{DATA:CISCO_UCS_EVENT_ID}\\]\\[%{DATA:CISCO_UCS_SEVERITY}\\]\\[%{DATA:CISCO_UCS_ERROR_MSG}\\]\\[%{DATA:CISCO_UCS_CHASIS_HW_LOCATION}\\] %{GREEDYDATA:CISCO_UCS_FULL_MSG}" 83 | }, 84 | "condition_type": "none", 85 | "condition_value": "" 86 | } 87 | ], 88 | "version": "3.3.8" 89 | } 90 | -------------------------------------------------------------------------------- /cohesity.json: -------------------------------------------------------------------------------- 1 | { 2 | "v": 1, 3 | "id": "c4d6973d-dd0b-4a9c-af65-f892ce50f5c7", 4 | "rev": 1, 5 | "name": "Cohesity", 6 | "summary": "Cohesity Content Pack", 7 | "description": "\n", 8 | "vendor": "Dave C", 9 | "url": "", 10 | "parameters": [], 11 | "entities": [ 12 | { 13 | "v": "1", 14 | "type": { 15 | "name": "dashboard", 16 | "version": "2" 17 | }, 18 | "id": "fc6c0f51-5431-4c91-87a8-c64c4b7f34b4", 19 | "data": { 20 | "summary": { 21 | "@type": "string", 22 | "@value": "" 23 | }, 24 | "search": { 25 | "queries": [ 26 | { 27 | "id": "0179ce27-0082-4ab3-b26e-11afe35492f2", 28 | "timerange": { 29 | "type": "relative", 30 | "range": 300 31 | }, 32 | "query": { 33 | "type": "elasticsearch", 34 | "query_string": "" 35 | }, 36 | "search_types": [ 37 | { 38 | "query": { 39 | "type": "elasticsearch", 40 | "query_string": "(cohesity_cluster_name:*) (vmware_task_executed:\"Remove snapshot\" vmware_task_executed:\"Create virtual machine snapshot\")" 41 | }, 42 | "name": "chart", 43 | "timerange": { 44 | "type": "relative", 45 | "range": 86400 46 | }, 47 | "streams": [], 48 | "series": [ 49 | { 50 | "type": "count", 51 | "id": "count()", 52 | "field": null 53 | } 54 | ], 55 | "filter": null, 56 | "rollup": true, 57 | "row_groups": [ 58 | { 59 | "type": "time", 60 | "field": "timestamp", 61 | "interval": { 62 | "type": "auto", 63 | "scaling": 1 64 | } 65 | } 66 | ], 67 | "type": "pivot", 68 | "id": "e4528bc1-22cb-497f-89a0-cb51ac673d6e", 69 | "column_groups": [], 70 | "sort": [] 71 | }, 72 | { 73 | "name": "events", 74 | "timerange": { 75 | "type": "relative", 76 | "range": 604800 77 | }, 78 | "query": { 79 | "type": "elasticsearch", 80 | "query_string": "cohesity_cluster_name:*" 81 | }, 82 | "streams": [], 83 | "id": "fdd1849b-983b-4f6b-bbd0-6c25224d888f", 84 | "type": "events", 85 | "filter": null 86 | }, 87 | { 88 | "query": { 89 | "type": "elasticsearch", 90 | "query_string": "cohesity_cluster_name:*" 91 | }, 92 | "name": "chart", 93 | "timerange": { 94 | "type": "relative", 95 | "range": 604800 96 | }, 97 | "streams": [], 98 | "series": [ 99 | { 100 | "type": "count", 101 | "id": "count()", 102 | "field": null 103 | } 104 | ], 105 | "filter": null, 106 | "rollup": true, 107 | "row_groups": [ 108 | { 109 | "type": "time", 110 | "field": "timestamp", 111 | "interval": { 112 | "type": "auto", 113 | "scaling": 1 114 | } 115 | } 116 | ], 117 | "type": "pivot", 118 | "id": "fdd5827c-7f63-4582-990b-d9e641c3fd9a", 119 | "column_groups": [ 120 | { 121 | "type": "values", 122 | "field": "cohesity_backup_job_name", 123 | "limit": 15 124 | } 125 | ], 126 | "sort": [ 127 | { 128 | "type": "pivot", 129 | "field": "timestamp", 130 | "direction": "Ascending" 131 | } 132 | ] 133 | }, 134 | { 135 | "query": { 136 | "type": "elasticsearch", 137 | "query_string": "(cohesity_cluster_name:*) (vmware_task_executed:\"Remove snapshot\" vmware_task_executed:\"Create virtual machine snapshot\" NOT application_name:vim.event.UserLoginSessionEvent)" 138 | }, 139 | "name": null, 140 | "timerange": { 141 | "type": "relative", 142 | "range": 86400 143 | }, 144 | "offset": 0, 145 | "streams": [], 146 | "filter": null, 147 | "decorators": [], 148 | "type": "messages", 149 | "id": "91082738-8cd5-4089-a31a-c603c3437704", 150 | "limit": 150 151 | }, 152 | { 153 | "query": { 154 | "type": "elasticsearch", 155 | "query_string": "cohesity_cluster_name:*" 156 | }, 157 | "name": "chart", 158 | "timerange": { 159 | "type": "relative", 160 | "range": 86400 161 | }, 162 | "streams": [], 163 | "series": [ 164 | { 165 | "type": "count", 166 | "id": "count()", 167 | "field": null 168 | } 169 | ], 170 | "filter": null, 171 | "rollup": true, 172 | "row_groups": [ 173 | { 174 | "type": "time", 175 | "field": "timestamp", 176 | "interval": { 177 | "type": "auto", 178 | "scaling": 1 179 | } 180 | } 181 | ], 182 | "type": "pivot", 183 | "id": "3b425968-e1d2-4ef1-ad18-99e369901c81", 184 | "column_groups": [ 185 | { 186 | "type": "values", 187 | "field": "cohesity_event_message_type", 188 | "limit": 15 189 | } 190 | ], 191 | "sort": [ 192 | { 193 | "type": "pivot", 194 | "field": "timestamp", 195 | "direction": "Ascending" 196 | } 197 | ] 198 | }, 199 | { 200 | "query": { 201 | "type": "elasticsearch", 202 | "query_string": "snapshot AND application_name:vim.event.AlarmStatusChangedEvent AND VMWARE_ALARM_TYPE:\"Snapshot Size Alarm\" AND VMWARE_SEV_CURRENT:Red" 203 | }, 204 | "name": "chart", 205 | "timerange": { 206 | "type": "relative", 207 | "range": 86400 208 | }, 209 | "streams": [], 210 | "series": [], 211 | "filter": null, 212 | "rollup": true, 213 | "row_groups": [ 214 | { 215 | "type": "values", 216 | "field": "VCENTER_DATACENTER_ID", 217 | "limit": 15 218 | }, 219 | { 220 | "type": "values", 221 | "field": "VCENTER_DATACENTER_CLUSTER_ID", 222 | "limit": 15 223 | }, 224 | { 225 | "type": "values", 226 | "field": "vmware_guest_name", 227 | "limit": 15 228 | }, 229 | { 230 | "type": "values", 231 | "field": "VMWARE_ALARM_TYPE", 232 | "limit": 15 233 | }, 234 | { 235 | "type": "values", 236 | "field": "VMWARE_SEV_CURRENT", 237 | "limit": 15 238 | } 239 | ], 240 | "type": "pivot", 241 | "id": "aa3638ee-84a3-44df-b6f2-9fea8bd70ded", 242 | "column_groups": [], 243 | "sort": [] 244 | }, 245 | { 246 | "query": { 247 | "type": "elasticsearch", 248 | "query_string": "cohesity_cluster_name:*" 249 | }, 250 | "name": "chart", 251 | "timerange": { 252 | "type": "relative", 253 | "range": 86400 254 | }, 255 | "streams": [], 256 | "series": [ 257 | { 258 | "type": "count", 259 | "id": "count()", 260 | "field": null 261 | } 262 | ], 263 | "filter": null, 264 | "rollup": true, 265 | "row_groups": [ 266 | { 267 | "type": "values", 268 | "field": "cohesity_cluster_name", 269 | "limit": 15 270 | } 271 | ], 272 | "type": "pivot", 273 | "id": "1560b53a-34f8-4898-a1d6-a2f60d013067", 274 | "column_groups": [], 275 | "sort": [ 276 | { 277 | "type": "series", 278 | "field": "count()", 279 | "direction": "Descending" 280 | } 281 | ] 282 | }, 283 | { 284 | "query": { 285 | "type": "elasticsearch", 286 | "query_string": "username:YOURDOMAIN_HERE\\\\DOMAIN_ID\\-USER\\-a NOT logged" 287 | }, 288 | "name": "chart", 289 | "timerange": { 290 | "type": "relative", 291 | "range": 28800 292 | }, 293 | "streams": [], 294 | "series": [ 295 | { 296 | "type": "count", 297 | "id": "count()", 298 | "field": null 299 | } 300 | ], 301 | "filter": null, 302 | "rollup": true, 303 | "row_groups": [ 304 | { 305 | "type": "values", 306 | "field": "vmware_task_executed", 307 | "limit": 15 308 | }, 309 | { 310 | "type": "values", 311 | "field": "VCENTER_DATACENTER_ID", 312 | "limit": 15 313 | } 314 | ], 315 | "type": "pivot", 316 | "id": "3de30fda-6055-47a5-9cd2-ff8c329a7178", 317 | "column_groups": [], 318 | "sort": [] 319 | }, 320 | { 321 | "query": { 322 | "type": "elasticsearch", 323 | "query_string": "(cohesity_cluster_name:* NOT session NOT disconnected NOT Accepted AND ErrorMessage)" 324 | }, 325 | "name": "chart", 326 | "timerange": { 327 | "type": "relative", 328 | "range": 86400 329 | }, 330 | "streams": [], 331 | "series": [ 332 | { 333 | "type": "count", 334 | "id": "count()", 335 | "field": null 336 | } 337 | ], 338 | "filter": null, 339 | "rollup": true, 340 | "row_groups": [ 341 | { 342 | "type": "values", 343 | "field": "cohesity_backup_job_name", 344 | "limit": 15 345 | }, 346 | { 347 | "type": "values", 348 | "field": "cohesity_cluster_name", 349 | "limit": 15 350 | } 351 | ], 352 | "type": "pivot", 353 | "id": "9d371e1f-f13f-4de5-ab2e-ebe686bb85d0", 354 | "column_groups": [], 355 | "sort": [] 356 | }, 357 | { 358 | "query": { 359 | "type": "elasticsearch", 360 | "query_string": "" 361 | }, 362 | "name": "chart", 363 | "timerange": { 364 | "type": "relative", 365 | "range": 86400 366 | }, 367 | "streams": [], 368 | "series": [], 369 | "filter": null, 370 | "rollup": true, 371 | "row_groups": [ 372 | { 373 | "type": "values", 374 | "field": "cohesity_attribute_name", 375 | "limit": 15 376 | }, 377 | { 378 | "type": "values", 379 | "field": "cohesity_attrib_number", 380 | "limit": 15 381 | }, 382 | { 383 | "type": "values", 384 | "field": "cohesity_backup_job_name", 385 | "limit": 15 386 | }, 387 | { 388 | "type": "values", 389 | "field": "cohesity_backup_job_id_number", 390 | "limit": 15 391 | }, 392 | { 393 | "type": "values", 394 | "field": "cohesity_cluster_name", 395 | "limit": 15 396 | } 397 | ], 398 | "type": "pivot", 399 | "id": "000c3ada-5ea2-41c4-b607-5b0830f050be", 400 | "column_groups": [], 401 | "sort": [] 402 | } 403 | ] 404 | } 405 | ], 406 | "parameters": [], 407 | "requires": {}, 408 | "owner": "admin", 409 | "created_at": "2021-01-20T19:36:38.415Z" 410 | }, 411 | "created_at": "2020-12-07T21:09:42.316Z", 412 | "requires": {}, 413 | "state": { 414 | "0179ce27-0082-4ab3-b26e-11afe35492f2": { 415 | "selected_fields": null, 416 | "static_message_list_id": null, 417 | "titles": { 418 | "widget": { 419 | "cf00f2f8-1f18-4142-bd74-fa2a7a0404d8": "Aggregating count() by vmware_task_executed, VCENTER_DATACENTER_ID last 8 hours", 420 | "17939821-c56c-4f5c-be7b-b941b7d8212f": "Aggregating by VCENTER_DATACENTER_ID, VCENTER_DATACENTER_CLUSTER_ID, vmware_guest_name, VMWARE_ALARM_TYPE, VMWARE_SEV_CURRENT last day", 421 | "283adcd7-84bf-427a-bc53-a24e2e3e0b5d": "Aggregating count() by cohesity_cluster_name number of events", 422 | "f0717175-09a2-4850-aa40-a9631c1370ff": "Failed backups in last 24 hours ", 423 | "f0b4fc72-31ed-4110-9122-ce1ca43273fd": "Cohesity messages" 424 | } 425 | }, 426 | "widgets": [ 427 | { 428 | "id": "17939821-c56c-4f5c-be7b-b941b7d8212f", 429 | "type": "aggregation", 430 | "filter": null, 431 | "timerange": { 432 | "type": "relative", 433 | "range": 86400 434 | }, 435 | "query": { 436 | "type": "elasticsearch", 437 | "query_string": "snapshot AND application_name:vim.event.AlarmStatusChangedEvent AND VMWARE_ALARM_TYPE:\"Snapshot Size Alarm\" AND VMWARE_SEV_CURRENT:Red" 438 | }, 439 | "streams": [], 440 | "config": { 441 | "visualization": "table", 442 | "event_annotation": false, 443 | "row_pivots": [ 444 | { 445 | "field": "VCENTER_DATACENTER_ID", 446 | "type": "values", 447 | "config": { 448 | "limit": 15 449 | } 450 | }, 451 | { 452 | "field": "VCENTER_DATACENTER_CLUSTER_ID", 453 | "type": "values", 454 | "config": { 455 | "limit": 15 456 | } 457 | }, 458 | { 459 | "field": "vmware_guest_name", 460 | "type": "values", 461 | "config": { 462 | "limit": 15 463 | } 464 | }, 465 | { 466 | "field": "VMWARE_ALARM_TYPE", 467 | "type": "values", 468 | "config": { 469 | "limit": 15 470 | } 471 | }, 472 | { 473 | "field": "VMWARE_SEV_CURRENT", 474 | "type": "values", 475 | "config": { 476 | "limit": 15 477 | } 478 | } 479 | ], 480 | "series": [], 481 | "rollup": true, 482 | "column_pivots": [], 483 | "visualization_config": null, 484 | "formatting_settings": null, 485 | "sort": [] 486 | } 487 | }, 488 | { 489 | "id": "cf00f2f8-1f18-4142-bd74-fa2a7a0404d8", 490 | "type": "aggregation", 491 | "filter": null, 492 | "timerange": { 493 | "type": "relative", 494 | "range": 28800 495 | }, 496 | "query": { 497 | "type": "elasticsearch", 498 | "query_string": "username:YOURDOMAIN_HERE\\\\DOMAIN_ID\\USER\\-A NOT logged" 499 | }, 500 | "streams": [], 501 | "config": { 502 | "visualization": "table", 503 | "event_annotation": false, 504 | "row_pivots": [ 505 | { 506 | "field": "vmware_task_executed", 507 | "type": "values", 508 | "config": { 509 | "limit": 15 510 | } 511 | }, 512 | { 513 | "field": "VCENTER_DATACENTER_ID", 514 | "type": "values", 515 | "config": { 516 | "limit": 15 517 | } 518 | } 519 | ], 520 | "series": [ 521 | { 522 | "config": { 523 | "name": null 524 | }, 525 | "function": "count()" 526 | } 527 | ], 528 | "rollup": true, 529 | "column_pivots": [], 530 | "visualization_config": null, 531 | "formatting_settings": null, 532 | "sort": [] 533 | } 534 | }, 535 | { 536 | "id": "ea0b3ba6-a798-447b-b33e-d92603bd5f2b", 537 | "type": "aggregation", 538 | "filter": null, 539 | "timerange": { 540 | "type": "relative", 541 | "range": 86400 542 | }, 543 | "query": { 544 | "type": "elasticsearch", 545 | "query_string": "cohesity_cluster_name:*" 546 | }, 547 | "streams": [], 548 | "config": { 549 | "visualization": "area", 550 | "event_annotation": false, 551 | "row_pivots": [ 552 | { 553 | "field": "timestamp", 554 | "type": "time", 555 | "config": { 556 | "interval": { 557 | "type": "auto", 558 | "scaling": null 559 | } 560 | } 561 | } 562 | ], 563 | "series": [ 564 | { 565 | "config": { 566 | "name": null 567 | }, 568 | "function": "count()" 569 | } 570 | ], 571 | "rollup": true, 572 | "column_pivots": [ 573 | { 574 | "field": "cohesity_event_message_type", 575 | "type": "values", 576 | "config": { 577 | "limit": 15 578 | } 579 | } 580 | ], 581 | "visualization_config": { 582 | "interpolation": "step-after" 583 | }, 584 | "formatting_settings": null, 585 | "sort": [ 586 | { 587 | "type": "pivot", 588 | "field": "timestamp", 589 | "direction": "Ascending" 590 | } 591 | ] 592 | } 593 | }, 594 | { 595 | "id": "00ee878e-1a1a-4e22-8294-a33500e57369", 596 | "type": "aggregation", 597 | "filter": null, 598 | "timerange": { 599 | "type": "relative", 600 | "range": 86400 601 | }, 602 | "query": { 603 | "type": "elasticsearch", 604 | "query_string": "(cohesity_cluster_name:*) (vmware_task_executed:\"Remove snapshot\" vmware_task_executed:\"Create virtual machine snapshot\")" 605 | }, 606 | "streams": [], 607 | "config": { 608 | "visualization": "bar", 609 | "event_annotation": false, 610 | "row_pivots": [ 611 | { 612 | "field": "timestamp", 613 | "type": "time", 614 | "config": { 615 | "interval": { 616 | "type": "auto", 617 | "scaling": null 618 | } 619 | } 620 | } 621 | ], 622 | "series": [ 623 | { 624 | "config": { 625 | "name": null 626 | }, 627 | "function": "count()" 628 | } 629 | ], 630 | "rollup": true, 631 | "column_pivots": [], 632 | "visualization_config": null, 633 | "formatting_settings": null, 634 | "sort": [] 635 | } 636 | }, 637 | { 638 | "id": "cd4db72f-b6f2-4d4d-babe-b70fbdedc9d0", 639 | "type": "aggregation", 640 | "filter": null, 641 | "timerange": { 642 | "type": "relative", 643 | "range": 604800 644 | }, 645 | "query": { 646 | "type": "elasticsearch", 647 | "query_string": "cohesity_cluster_name:*" 648 | }, 649 | "streams": [], 650 | "config": { 651 | "visualization": "area", 652 | "event_annotation": true, 653 | "row_pivots": [ 654 | { 655 | "field": "timestamp", 656 | "type": "time", 657 | "config": { 658 | "interval": { 659 | "type": "auto", 660 | "scaling": null 661 | } 662 | } 663 | } 664 | ], 665 | "series": [ 666 | { 667 | "config": { 668 | "name": null 669 | }, 670 | "function": "count()" 671 | } 672 | ], 673 | "rollup": true, 674 | "column_pivots": [ 675 | { 676 | "field": "cohesity_backup_job_name", 677 | "type": "values", 678 | "config": { 679 | "limit": 15 680 | } 681 | } 682 | ], 683 | "visualization_config": { 684 | "interpolation": "spline" 685 | }, 686 | "formatting_settings": null, 687 | "sort": [ 688 | { 689 | "type": "pivot", 690 | "field": "timestamp", 691 | "direction": "Ascending" 692 | } 693 | ] 694 | } 695 | }, 696 | { 697 | "id": "283adcd7-84bf-427a-bc53-a24e2e3e0b5d", 698 | "type": "aggregation", 699 | "filter": null, 700 | "timerange": { 701 | "type": "relative", 702 | "range": 86400 703 | }, 704 | "query": { 705 | "type": "elasticsearch", 706 | "query_string": "cohesity_cluster_name:*" 707 | }, 708 | "streams": [], 709 | "config": { 710 | "visualization": "area", 711 | "event_annotation": false, 712 | "row_pivots": [ 713 | { 714 | "field": "cohesity_cluster_name", 715 | "type": "values", 716 | "config": { 717 | "limit": 15 718 | } 719 | } 720 | ], 721 | "series": [ 722 | { 723 | "config": { 724 | "name": null 725 | }, 726 | "function": "count()" 727 | } 728 | ], 729 | "rollup": true, 730 | "column_pivots": [], 731 | "visualization_config": { 732 | "interpolation": "spline" 733 | }, 734 | "formatting_settings": null, 735 | "sort": [ 736 | { 737 | "type": "series", 738 | "field": "count()", 739 | "direction": "Descending" 740 | } 741 | ] 742 | } 743 | }, 744 | { 745 | "id": "f0717175-09a2-4850-aa40-a9631c1370ff", 746 | "type": "aggregation", 747 | "filter": null, 748 | "timerange": { 749 | "type": "relative", 750 | "range": 86400 751 | }, 752 | "query": { 753 | "type": "elasticsearch", 754 | "query_string": "(cohesity_cluster_name:* NOT session NOT disconnected NOT Accepted AND ErrorMessage)" 755 | }, 756 | "streams": [], 757 | "config": { 758 | "visualization": "table", 759 | "event_annotation": false, 760 | "row_pivots": [ 761 | { 762 | "field": "cohesity_backup_job_name", 763 | "type": "values", 764 | "config": { 765 | "limit": 15 766 | } 767 | }, 768 | { 769 | "field": "cohesity_cluster_name", 770 | "type": "values", 771 | "config": { 772 | "limit": 15 773 | } 774 | } 775 | ], 776 | "series": [ 777 | { 778 | "config": { 779 | "name": null 780 | }, 781 | "function": "count()" 782 | } 783 | ], 784 | "rollup": true, 785 | "column_pivots": [], 786 | "visualization_config": null, 787 | "formatting_settings": null, 788 | "sort": [] 789 | } 790 | }, 791 | { 792 | "id": "f0b4fc72-31ed-4110-9122-ce1ca43273fd", 793 | "type": "messages", 794 | "filter": null, 795 | "timerange": { 796 | "type": "relative", 797 | "range": 86400 798 | }, 799 | "query": { 800 | "type": "elasticsearch", 801 | "query_string": "(cohesity_cluster_name:*) (vmware_task_executed:\"Remove snapshot\" vmware_task_executed:\"Create virtual machine snapshot\" NOT application_name:vim.event.UserLoginSessionEvent)" 802 | }, 803 | "streams": [], 804 | "config": { 805 | "fields": [ 806 | "timestamp", 807 | "source" 808 | ], 809 | "show_message_row": true, 810 | "decorators": [], 811 | "sort": [ 812 | { 813 | "type": "pivot", 814 | "field": "timestamp", 815 | "direction": "Descending" 816 | } 817 | ] 818 | } 819 | }, 820 | { 821 | "id": "51417805-5d0d-40eb-9f7a-7b83285a3171", 822 | "type": "aggregation", 823 | "filter": null, 824 | "timerange": { 825 | "type": "relative", 826 | "range": 86400 827 | }, 828 | "query": { 829 | "type": "elasticsearch", 830 | "query_string": "" 831 | }, 832 | "streams": [], 833 | "config": { 834 | "visualization": "table", 835 | "event_annotation": false, 836 | "row_pivots": [ 837 | { 838 | "field": "cohesity_attribute_name", 839 | "type": "values", 840 | "config": { 841 | "limit": 15 842 | } 843 | }, 844 | { 845 | "field": "cohesity_attrib_number", 846 | "type": "values", 847 | "config": { 848 | "limit": 15 849 | } 850 | }, 851 | { 852 | "field": "cohesity_backup_job_name", 853 | "type": "values", 854 | "config": { 855 | "limit": 15 856 | } 857 | }, 858 | { 859 | "field": "cohesity_backup_job_id_number", 860 | "type": "values", 861 | "config": { 862 | "limit": 15 863 | } 864 | }, 865 | { 866 | "field": "cohesity_cluster_name", 867 | "type": "values", 868 | "config": { 869 | "limit": 15 870 | } 871 | } 872 | ], 873 | "series": [], 874 | "rollup": true, 875 | "column_pivots": [], 876 | "visualization_config": null, 877 | "formatting_settings": null, 878 | "sort": [] 879 | } 880 | } 881 | ], 882 | "widget_mapping": { 883 | "17939821-c56c-4f5c-be7b-b941b7d8212f": [ 884 | "aa3638ee-84a3-44df-b6f2-9fea8bd70ded" 885 | ], 886 | "ea0b3ba6-a798-447b-b33e-d92603bd5f2b": [ 887 | "3b425968-e1d2-4ef1-ad18-99e369901c81" 888 | ], 889 | "cd4db72f-b6f2-4d4d-babe-b70fbdedc9d0": [ 890 | "fdd1849b-983b-4f6b-bbd0-6c25224d888f", 891 | "fdd5827c-7f63-4582-990b-d9e641c3fd9a" 892 | ], 893 | "f0717175-09a2-4850-aa40-a9631c1370ff": [ 894 | "9d371e1f-f13f-4de5-ab2e-ebe686bb85d0" 895 | ], 896 | "00ee878e-1a1a-4e22-8294-a33500e57369": [ 897 | "e4528bc1-22cb-497f-89a0-cb51ac673d6e" 898 | ], 899 | "51417805-5d0d-40eb-9f7a-7b83285a3171": [ 900 | "000c3ada-5ea2-41c4-b607-5b0830f050be" 901 | ], 902 | "cf00f2f8-1f18-4142-bd74-fa2a7a0404d8": [ 903 | "3de30fda-6055-47a5-9cd2-ff8c329a7178" 904 | ], 905 | "283adcd7-84bf-427a-bc53-a24e2e3e0b5d": [ 906 | "1560b53a-34f8-4898-a1d6-a2f60d013067" 907 | ], 908 | "f0b4fc72-31ed-4110-9122-ce1ca43273fd": [ 909 | "91082738-8cd5-4089-a31a-c603c3437704" 910 | ] 911 | }, 912 | "positions": { 913 | "17939821-c56c-4f5c-be7b-b941b7d8212f": { 914 | "col": 8, 915 | "row": 5, 916 | "height": 4, 917 | "width": 4 918 | }, 919 | "ea0b3ba6-a798-447b-b33e-d92603bd5f2b": { 920 | "col": 5, 921 | "row": 5, 922 | "height": 4, 923 | "width": 3 924 | }, 925 | "cd4db72f-b6f2-4d4d-babe-b70fbdedc9d0": { 926 | "col": 1, 927 | "row": 5, 928 | "height": 4, 929 | "width": 4 930 | }, 931 | "f0717175-09a2-4850-aa40-a9631c1370ff": { 932 | "col": 1, 933 | "row": 3, 934 | "height": 2, 935 | "width": 11 936 | }, 937 | "00ee878e-1a1a-4e22-8294-a33500e57369": { 938 | "col": 1, 939 | "row": 1, 940 | "height": 2, 941 | "width": 11 942 | }, 943 | "51417805-5d0d-40eb-9f7a-7b83285a3171": { 944 | "col": 4, 945 | "row": 9, 946 | "height": 4, 947 | "width": 5 948 | }, 949 | "cf00f2f8-1f18-4142-bd74-fa2a7a0404d8": { 950 | "col": 1, 951 | "row": 9, 952 | "height": 4, 953 | "width": 3 954 | }, 955 | "283adcd7-84bf-427a-bc53-a24e2e3e0b5d": { 956 | "col": 9, 957 | "row": 9, 958 | "height": 4, 959 | "width": 3 960 | }, 961 | "f0b4fc72-31ed-4110-9122-ce1ca43273fd": { 962 | "col": 1, 963 | "row": 13, 964 | "height": 12, 965 | "width": 11 966 | } 967 | }, 968 | "formatting": { 969 | "highlighting": [] 970 | }, 971 | "display_mode_settings": { 972 | "positions": {} 973 | } 974 | } 975 | }, 976 | "properties": [], 977 | "owner": "admin", 978 | "title": { 979 | "@type": "string", 980 | "@value": "Cohesity" 981 | }, 982 | "type": "DASHBOARD", 983 | "description": { 984 | "@type": "string", 985 | "@value": "" 986 | } 987 | }, 988 | "constraints": [ 989 | { 990 | "type": "server-version", 991 | "version": ">=4.0.1+6a0cc0b" 992 | } 993 | ] 994 | } 995 | ] 996 | } -------------------------------------------------------------------------------- /vmware7_extraction: -------------------------------------------------------------------------------- 1 | { 2 | "extractors": [ 3 | { 4 | "title": "vmware7_ldap_extraction", 5 | "extractor_type": "regex", 6 | "converters": [], 7 | "order": 0, 8 | "cursor_strategy": "copy", 9 | "source_field": "message", 10 | "target_field": "LDAP_username", 11 | "extractor_config": { 12 | "regex_value": "User (.*)\\@" 13 | }, 14 | "condition_type": "none", 15 | "condition_value": "" 16 | }, 17 | { 18 | "title": "hostname extraction vcenter", 19 | "extractor_type": "regex", 20 | "converters": [], 21 | "order": 0, 22 | "cursor_strategy": "copy", 23 | "source_field": "message", 24 | "target_field": "HOSTNAME", 25 | "extractor_config": { 26 | "regex_value": "on (.*) changed from " 27 | }, 28 | "condition_type": "none", 29 | "condition_value": "" 30 | }, 31 | { 32 | "title": "vmware7_vmware_alarm_type", 33 | "extractor_type": "regex", 34 | "converters": [], 35 | "order": 0, 36 | "cursor_strategy": "copy", 37 | "source_field": "message", 38 | "target_field": "VMWARE_ALARM_TYPE", 39 | "extractor_config": { 40 | "regex_value": "Alarm '(.*)' on" 41 | }, 42 | "condition_type": "none", 43 | "condition_value": "" 44 | }, 45 | { 46 | "title": "vmware7_hypervisor_name_1", 47 | "extractor_type": "regex", 48 | "converters": [], 49 | "order": 0, 50 | "cursor_strategy": "copy", 51 | "source_field": "message", 52 | "target_field": "HYPERVISOR_NAME", 53 | "extractor_config": { 54 | "regex_value": "on (.*) triggered " 55 | }, 56 | "condition_type": "none", 57 | "condition_value": "" 58 | }, 59 | { 60 | "title": "vmware7_hypervisor_name_2", 61 | "extractor_type": "regex", 62 | "converters": [], 63 | "order": 0, 64 | "cursor_strategy": "copy", 65 | "source_field": "message", 66 | "target_field": "HYPERVISOR_NAME", 67 | "extractor_config": { 68 | "regex_value": "entity (.*) was " 69 | }, 70 | "condition_type": "none", 71 | "condition_value": "" 72 | }, 73 | { 74 | "title": "vmware7_part_description", 75 | "extractor_type": "regex", 76 | "converters": [], 77 | "order": 0, 78 | "cursor_strategy": "copy", 79 | "source_field": "message", 80 | "target_field": "part_description", 81 | "extractor_config": { 82 | "regex_value": "Description (.*) state " 83 | }, 84 | "condition_type": "none", 85 | "condition_value": "" 86 | }, 87 | { 88 | "title": "vmware7_VMWARE_SEV_LAST ", 89 | "extractor_type": "regex", 90 | "converters": [], 91 | "order": 0, 92 | "cursor_strategy": "copy", 93 | "source_field": "message", 94 | "target_field": "VMWARE_SEV_LAST", 95 | "extractor_config": { 96 | "regex_value": "changed from (.*) to" 97 | }, 98 | "condition_type": "none", 99 | "condition_value": "" 100 | }, 101 | { 102 | "title": "vmware7_VMWARE_SEV_CURRENT", 103 | "extractor_type": "regex", 104 | "converters": [], 105 | "order": 0, 106 | "cursor_strategy": "copy", 107 | "source_field": "message", 108 | "target_field": "VMWARE_SEV_CURRENT", 109 | "extractor_config": { 110 | "regex_value": " to (.*)\\]" 111 | }, 112 | "condition_type": "none", 113 | "condition_value": "" 114 | }, 115 | { 116 | "title": "vmware7_vmware_guest_name", 117 | "extractor_type": "regex", 118 | "converters": [], 119 | "order": 0, 120 | "cursor_strategy": "copy", 121 | "source_field": "message", 122 | "target_field": "vmware_guest_name", 123 | "extractor_config": { 124 | "regex_value": "on (.*) changed" 125 | }, 126 | "condition_type": "none", 127 | "condition_value": "" 128 | }, 129 | { 130 | "title": "vmware7_vmware_alarm_type_2", 131 | "extractor_type": "regex", 132 | "converters": [], 133 | "order": 0, 134 | "cursor_strategy": "copy", 135 | "source_field": "message", 136 | "target_field": "VMWARE_ALARM_TYPE", 137 | "extractor_config": { 138 | "regex_value": "Alarm '(.*)': an SNMP" 139 | }, 140 | "condition_type": "none", 141 | "condition_value": "" 142 | }, 143 | { 144 | "title": "vmware7_nfc_operation", 145 | "extractor_type": "regex", 146 | "converters": [], 147 | "order": 0, 148 | "cursor_strategy": "copy", 149 | "source_field": "message", 150 | "target_field": "vmware7_nfc_operation", 151 | "extractor_config": { 152 | "regex_value": "NFC operation '(.*)' for path " 153 | }, 154 | "condition_type": "none", 155 | "condition_value": "" 156 | }, 157 | { 158 | "title": "vmware7_nfc_operation_path", 159 | "extractor_type": "regex", 160 | "converters": [], 161 | "order": 0, 162 | "cursor_strategy": "copy", 163 | "source_field": "message", 164 | "target_field": "vmware7_nfc_operation_path", 165 | "extractor_config": { 166 | "regex_value": "for path '(.*)' was " 167 | }, 168 | "condition_type": "none", 169 | "condition_value": "" 170 | }, 171 | { 172 | "title": "vmware7_nfc_operation_ip", 173 | "extractor_type": "regex", 174 | "converters": [], 175 | "order": 0, 176 | "cursor_strategy": "copy", 177 | "source_field": "message", 178 | "target_field": "ip_address", 179 | "extractor_config": { 180 | "regex_value": "from '(.*)' and " 181 | }, 182 | "condition_type": "none", 183 | "condition_value": "" 184 | }, 185 | { 186 | "title": "vmware7_nfc_operation_status", 187 | "extractor_type": "regex", 188 | "converters": [], 189 | "order": 0, 190 | "cursor_strategy": "copy", 191 | "source_field": "message", 192 | "target_field": "vmware7_nfc_operation_status", 193 | "extractor_config": { 194 | "regex_value": "and completed with status '(.*)'" 195 | }, 196 | "condition_type": "none", 197 | "condition_value": "" 198 | }, 199 | { 200 | "title": "sensor_part_number", 201 | "extractor_type": "regex", 202 | "converters": [], 203 | "order": 0, 204 | "cursor_strategy": "copy", 205 | "source_field": "message", 206 | "target_field": "sensor_part_number", 207 | "extractor_config": { 208 | "regex_value": "Part Name/Number (.*) Manufacturer" 209 | }, 210 | "condition_type": "none", 211 | "condition_value": "" 212 | }, 213 | { 214 | "title": "vmware7_sensor_manufacturer", 215 | "extractor_type": "regex", 216 | "converters": [], 217 | "order": 0, 218 | "cursor_strategy": "copy", 219 | "source_field": "message", 220 | "target_field": "sensor_manufacturer", 221 | "extractor_config": { 222 | "regex_value": "Manufacturer (.*)]" 223 | }, 224 | "condition_type": "none", 225 | "condition_value": "" 226 | }, 227 | { 228 | "title": "vmware7_sensor_state", 229 | "extractor_type": "regex", 230 | "converters": [], 231 | "order": 0, 232 | "cursor_strategy": "copy", 233 | "source_field": "message", 234 | "target_field": "sensor_state", 235 | "extractor_config": { 236 | "regex_value": "state (.*) for " 237 | }, 238 | "condition_type": "none", 239 | "condition_value": "" 240 | }, 241 | { 242 | "title": "vmware7_vmware_guest_name_2", 243 | "extractor_type": "regex", 244 | "converters": [], 245 | "order": 0, 246 | "cursor_strategy": "copy", 247 | "source_field": "message", 248 | "target_field": "vmware_guest_name", 249 | "extractor_config": { 250 | "regex_value": "Virtual machine (.*)'s" 251 | }, 252 | "condition_type": "none", 253 | "condition_value": "" 254 | }, 255 | { 256 | "title": "vmware7_pmem_bandwidth", 257 | "extractor_type": "regex", 258 | "converters": [], 259 | "order": 0, 260 | "cursor_strategy": "copy", 261 | "source_field": "message", 262 | "target_field": "vmware7_pmem_bandwidth", 263 | "extractor_config": { 264 | "regex_value": "PMem bandwidth usage is (.*)]" 265 | }, 266 | "condition_type": "none", 267 | "condition_value": "" 268 | }, 269 | { 270 | "title": "vmware7_guest_name_3", 271 | "extractor_type": "regex", 272 | "converters": [], 273 | "order": 0, 274 | "cursor_strategy": "copy", 275 | "source_field": "message", 276 | "target_field": "vmware_guest_name", 277 | "extractor_config": { 278 | "regex_value": "A ticket for (.*) of " 279 | }, 280 | "condition_type": "none", 281 | "condition_value": "" 282 | }, 283 | { 284 | "title": "vmware7_hypervisor_name_3", 285 | "extractor_type": "regex", 286 | "converters": [], 287 | "order": 0, 288 | "cursor_strategy": "copy", 289 | "source_field": "message", 290 | "target_field": "HYPERVISOR_NAME", 291 | "extractor_config": { 292 | "regex_value": "on (.*) in " 293 | }, 294 | "condition_type": "none", 295 | "condition_value": "" 296 | }, 297 | { 298 | "title": "vmware7_ldap_extraction", 299 | "extractor_type": "regex", 300 | "converters": [], 301 | "order": 0, 302 | "cursor_strategy": "copy", 303 | "source_field": "message", 304 | "target_field": "LDAP_username", 305 | "extractor_config": { 306 | "regex_value": "Logout event by (.*) from " 307 | }, 308 | "condition_type": "none", 309 | "condition_value": "" 310 | }, 311 | { 312 | "title": "vmware7_ldap_extraction_2", 313 | "extractor_type": "regex", 314 | "converters": [], 315 | "order": 0, 316 | "cursor_strategy": "copy", 317 | "source_field": "message", 318 | "target_field": "LDAP_username", 319 | "extractor_config": { 320 | "regex_value": "Successful login (.*) from " 321 | }, 322 | "condition_type": "none", 323 | "condition_value": "" 324 | }, 325 | { 326 | "title": "vmware7_vmware_power_state", 327 | "extractor_type": "regex", 328 | "converters": [], 329 | "order": 0, 330 | "cursor_strategy": "copy", 331 | "source_field": "message", 332 | "target_field": "vmware_power_state", 333 | "extractor_config": { 334 | "regex_value": "has (.*)]" 335 | }, 336 | "condition_type": "none", 337 | "condition_value": "" 338 | }, 339 | { 340 | "title": "vmware7_hypervisor_name_4", 341 | "extractor_type": "regex", 342 | "converters": [], 343 | "order": 0, 344 | "cursor_strategy": "copy", 345 | "source_field": "message", 346 | "target_field": "HYPERVISOR_NAME", 347 | "extractor_config": { 348 | "regex_value": "on (.*) in " 349 | }, 350 | "condition_type": "none", 351 | "condition_value": "" 352 | }, 353 | { 354 | "title": "vmware7_vmware_task_executed", 355 | "extractor_type": "regex", 356 | "converters": [], 357 | "order": 0, 358 | "cursor_strategy": "copy", 359 | "source_field": "message", 360 | "target_field": "vmware_task_executed", 361 | "extractor_config": { 362 | "regex_value": "Task: (.*)]" 363 | }, 364 | "condition_type": "none", 365 | "condition_value": "" 366 | }, 367 | { 368 | "title": "vmware7_assignment_for_uuid", 369 | "extractor_type": "regex", 370 | "converters": [], 371 | "order": 0, 372 | "cursor_strategy": "copy", 373 | "source_field": "message", 374 | "target_field": "vmware7_assignment_object_for_uuid", 375 | "extractor_config": { 376 | "regex_value": "Assign a new (.*) UUID" 377 | }, 378 | "condition_type": "none", 379 | "condition_value": "" 380 | }, 381 | { 382 | "title": "vmware7_uuid_assignment", 383 | "extractor_type": "regex", 384 | "converters": [], 385 | "order": 0, 386 | "cursor_strategy": "copy", 387 | "source_field": "message", 388 | "target_field": "vmware7_uuid_assignment", 389 | "extractor_config": { 390 | "regex_value": "UUID \\((.*)\\) to " 391 | }, 392 | "condition_type": "none", 393 | "condition_value": "" 394 | }, 395 | { 396 | "title": "vmware7_task_execution ", 397 | "extractor_type": "regex", 398 | "converters": [], 399 | "order": 0, 400 | "cursor_strategy": "copy", 401 | "source_field": "message", 402 | "target_field": "vmware_task_executed", 403 | "extractor_config": { 404 | "regex_value": "Running task (.*)\\]" 405 | }, 406 | "condition_type": "none", 407 | "condition_value": "" 408 | }, 409 | { 410 | "title": "vmware7_vmware_guest_name_connection", 411 | "extractor_type": "regex", 412 | "converters": [], 413 | "order": 0, 414 | "cursor_strategy": "copy", 415 | "source_field": "message", 416 | "target_field": "vmware_guest_name", 417 | "extractor_config": { 418 | "regex_value": "Virtual machine (.*) is " 419 | }, 420 | "condition_type": "none", 421 | "condition_value": "" 422 | }, 423 | { 424 | "title": "vmware7_connection_status", 425 | "extractor_type": "regex", 426 | "converters": [], 427 | "order": 0, 428 | "cursor_strategy": "copy", 429 | "source_field": "message", 430 | "target_field": "vmware7_connection_status", 431 | "extractor_config": { 432 | "regex_value": "is (.*)]" 433 | }, 434 | "condition_type": "none", 435 | "condition_value": "" 436 | }, 437 | { 438 | "title": "vmware_naa_disk_id", 439 | "extractor_type": "regex", 440 | "converters": [], 441 | "order": 0, 442 | "cursor_strategy": "copy", 443 | "source_field": "message", 444 | "target_field": "vmware_naa_disk_id", 445 | "extractor_config": { 446 | "regex_value": "Device (.*) performance" 447 | }, 448 | "condition_type": "none", 449 | "condition_value": "" 450 | }, 451 | { 452 | "title": "vmware7_performance_previous_avg_device_latency", 453 | "extractor_type": "regex", 454 | "converters": [], 455 | "order": 0, 456 | "cursor_strategy": "copy", 457 | "source_field": "message", 458 | "target_field": "previous_avg_device_latency", 459 | "extractor_config": { 460 | "regex_value": "from (.*) microseconds to " 461 | }, 462 | "condition_type": "none", 463 | "condition_value": "" 464 | }, 465 | { 466 | "title": "vmware7_current_avg_device_latency", 467 | "extractor_type": "regex", 468 | "converters": [], 469 | "order": 0, 470 | "cursor_strategy": "copy", 471 | "source_field": "message", 472 | "target_field": "current_avg_device_latency", 473 | "extractor_config": { 474 | "regex_value": "to (.*) microseconds." 475 | }, 476 | "condition_type": "none", 477 | "condition_value": "" 478 | }, 479 | { 480 | "title": "vmware_scsi_performance_status", 481 | "extractor_type": "regex", 482 | "converters": [], 483 | "order": 0, 484 | "cursor_strategy": "copy", 485 | "source_field": "message", 486 | "target_field": "scsi_performance_status", 487 | "extractor_config": { 488 | "regex_value": "performance has (.*). I/O" 489 | }, 490 | "condition_type": "none", 491 | "condition_value": "" 492 | }, 493 | { 494 | "title": "vmware7_hypervisor_name_5", 495 | "extractor_type": "regex", 496 | "converters": [], 497 | "order": 0, 498 | "cursor_strategy": "copy", 499 | "source_field": "message", 500 | "target_field": "HYPERVISOR_NAME", 501 | "extractor_config": { 502 | "regex_value": "Connected to (.*) in " 503 | }, 504 | "condition_type": "none", 505 | "condition_value": "" 506 | }, 507 | { 508 | "title": "vmware_sensor_id", 509 | "extractor_type": "regex", 510 | "converters": [], 511 | "order": 0, 512 | "cursor_strategy": "copy", 513 | "source_field": "message", 514 | "target_field": "sensor_id", 515 | "extractor_config": { 516 | "regex_value": "Sensor (.*) type" 517 | }, 518 | "condition_type": "none", 519 | "condition_value": "" 520 | }, 521 | 522 | 523 | { 524 | "title": "vmware7_hypervisor_name_6", 525 | "extractor_type": "regex", 526 | "converters": [], 527 | "order": 0, 528 | "cursor_strategy": "copy", 529 | "source_field": "message", 530 | "target_field": "HYPERVISOR_NAME", 531 | "extractor_config": { 532 | "regex_value": "query\\[A] (.*) from" 533 | }, 534 | "condition_type": "none", 535 | "condition_value": "" 536 | }, 537 | 538 | { 539 | "title": "vmware7_alarm_acknowledgement", 540 | "extractor_type": "regex", 541 | "converters": [], 542 | "order": 0, 543 | "cursor_strategy": "copy", 544 | "source_field": "message", 545 | "target_field": "alarm_acknowledgement", 546 | "extractor_config": { 547 | "regex_value": "Acknowledged alarm '(.*)'" 548 | }, 549 | "condition_type": "none", 550 | "condition_value": "" 551 | }, 552 | { 553 | "title": "vmware7_template_name", 554 | "extractor_type": "regex", 555 | "converters": [], 556 | "order": 0, 557 | "cursor_strategy": "copy", 558 | "source_field": "message", 559 | "target_field": "template_name", 560 | "extractor_config": { 561 | "regex_value": "Template (.*) deployed on host" 562 | }, 563 | "condition_type": "none", 564 | "condition_value": "" 565 | }, 566 | { 567 | "title": "vmware7_version", 568 | "extractor_type": "regex", 569 | "converters": [], 570 | "order": 0, 571 | "cursor_strategy": "copy", 572 | "source_field": "message", 573 | "target_field": "vmware_version", 574 | "extractor_config": { 575 | "regex_value": "version=(.*) build" 576 | }, 577 | "condition_type": "none", 578 | "condition_value": "" 579 | }, 580 | { 581 | "title": "vmware7_build_id", 582 | "extractor_type": "regex", 583 | "converters": [], 584 | "order": 0, 585 | "cursor_strategy": "copy", 586 | "source_field": "message", 587 | "target_field": "vmware_build_id", 588 | "extractor_config": { 589 | "regex_value": "build=(.*) option" 590 | }, 591 | "condition_type": "none", 592 | "condition_value": "" 593 | }, 594 | { 595 | "title": "vmware7_vmware_release", 596 | "extractor_type": "regex", 597 | "converters": [], 598 | "order": 0, 599 | "cursor_strategy": "copy", 600 | "source_field": "message", 601 | "target_field": "vmware_release", 602 | "extractor_config": { 603 | "regex_value": "option=(.*)" 604 | }, 605 | "condition_type": "none", 606 | "condition_value": "" 607 | }, 608 | { 609 | "title": "vmware7_hostname crx ", 610 | "extractor_type": "regex", 611 | "converters": [], 612 | "order": 0, 613 | "cursor_strategy": "copy", 614 | "source_field": "message", 615 | "target_field": "HOSTNAME", 616 | "extractor_config": { 617 | "regex_value": "(.*) crx" 618 | }, 619 | "condition_type": "none", 620 | "condition_value": "" 621 | }, 622 | { 623 | "title": "regex extract vcenter id ", 624 | "extractor_type": "regex", 625 | "converters": [], 626 | "order": 0, 627 | "cursor_strategy": "copy", 628 | "source_field": "message", 629 | "target_field": "VCENTER_DATACENTER_ID", 630 | "extractor_config": { 631 | "regex_value": "\\[com.vmware.vim.eam\\] (?:\\[+)(.+?)(?:\\]+)" 632 | }, 633 | "condition_type": "none", 634 | "condition_value": "" 635 | }, 636 | { 637 | "title": "vmware datacenter id extraction ", 638 | "extractor_type": "regex", 639 | "converters": [], 640 | "order": 0, 641 | "cursor_strategy": "copy", 642 | "source_field": "message", 643 | "target_field": "VCENTER_DATACENTER_ID", 644 | "extractor_config": { 645 | "regex_value": "\\[info\\] \\[\\] (?:\\[+)(.+?)(?:\\]+)" 646 | }, 647 | "condition_type": "none", 648 | "condition_value": "" 649 | } 650 | ], 651 | "version": "4.3.3" 652 | } 653 | --------------------------------------------------------------------------------