The add-on is installed on search head, indexers and heavy forwarder.
I have set up the data input at a heavy forwarder servers.
The props.conf and transforms.conf is copied from "default" folder to "local" folder.
I find that below 2 statement at props.conf is working but the other do not.
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")
props.conf
[websense:dlp:system:cef]
KV_MODE = none
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
REPORT-2_extract_field = websense_dlp_system_cef_extract_field_0, websense_dlp_system_cef_extract_field_1
FIELDALIAS-3_alias_fields = cef_event_severity_id as vendor_severity
FIELDALIAS-4_alias_fields = act as vendor_action
FIELDALIAS-body = cef_extension as body
FIELDALIAS-id = cef_event_signature_id as id
FIELDALIAS-severity_id = cef_event_severity_id as severity_id
EVAL-app = "Websense DLP"
EVAL-type = if(match(act, "Blocked"), "alert", "unknown")
EVAL-subject = "Websense DLP alert. Policy:" + cat + " SourceServiceName:" + sourceServiceName
LOOKUP-5_look_up_extract = websense_dlp_actions_lookup vendor_action OUTPUT action
LOOKUP-6_look_up_extract = websense_dlp_severity_lookup vendor_severity OUTPUT severity
Transform.conf
[websense_dlp_system_cef_extract_field_0]
REGEX = (.+)\s+CEF:(\d+)(?
... View more