API tools faq
paste
Advertisement
alacercogitatus

Event Parsing Failure

alacercogitatus
Oct 6th, 2011
81
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.91 KB | None | 0 0
raw download clone embed print report
  1. props.conf
  2.  
  3.  
  4. [ldap:open:audit]
  5. SHOULD_LINEMERGE = true
  6. BREAK_ONLY_BEFORE = ^#\s+modify\s+\d+\s+
  7. BREAK_ONLY_BEFORE_DATE = false
  8. REPORT-MultiValueAudit = loa-MultiValueAudit
  9. REPORT-AuditUser = loa-audituser
  10.  
  11.  
  12. transforms.conf
  13.  
  14.  
  15. [loa-MultiValueAudit]
  16. DELIMS="\n", ":"
  17. MV_ADD=true
  18.  
  19. [loa-audituser]
  20. REGEX = ^# modify (\d+) (dc=[\w,=]+) (\w+=([\w\s]*),([,=\w]*))
  21. FORMAT = modifiedTimestamp::$1 suffix::$2 ModifiedBy::$4 ModifierBase::$5 fullModifierName::$3
  22.  
  23.  
  24. ====== EVENT TO PARSE (sourcetype=ldap:open:audit) =========
  25.  
  26. # modify 1317923089 dc=ycp,dc=edu cn=Manager,dc=contoso,dc=com conn=-1
  27. dn: uid=USER,ou=People,dc=contoso,dc=com
  28. changetype: modify
  29. delete: pwdFailureTime
  30. -
  31. replace: entryCSN
  32. entryCSN: 20111006174450.024605Z#000000#004#000000
  33. -
  34. replace: modifiersName
  35. modifiersName: cn=Manager,dc=contoso,dc=com
  36. -
  37. replace: modifyTimestamp
  38. modifyTimestamp: 20111006174450Z
  39. -
  40. # end modify 1317923089
  41.  
  42.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!