Re: Customized Cef mapping

sanchez · ‎2020-03-03

How can the mappings in cef be customized according to my requirement? I tried changes in $EXPORTDIR/conf/CefFieldsMapping.xml.
Also I tried changing the target fieldmapping.But the changes do not reflect even after I restart cp_log_export.
What can be the solution to the problem

G_W_Albrecht · ‎2020-03-03

I would suggest asking TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

sanchez · ‎2020-03-03

Is there no provision for customization of mapping than at user level?
Is it only possible to map the logs after arriving at third party application?

PhoneBoy · ‎2020-03-03

What were the precise changes you tried to make?

sanchez · ‎2020-03-03

For eg: I was trying to rename the field rt as log_ts; and have need to customize some other fields too.
I tried changes in field mapping within targets' field mapping. Also I tried changes at conf cef field mappings but to no avail.

PhoneBoy · ‎2020-03-03

What I meant was: precisely what modifications did you try to make to the file?
Can you share a snippet?

sanchez · ‎2020-03-03

i tried adding a additional mapping which would convert rt into log_ts

sanchez · ‎2020-03-03

PhoneBoy · ‎2020-03-03

@Dan_Zada any comment here?

sanchez · ‎2020-03-05

Any reply here ?? I am out on a limb here.

PhoneBoy · ‎2020-03-05

If it's urgent I recommend opening a TAC case.

sanchez · ‎2020-03-06

It is not that urgent. Its just for educational purpose and interest in the Checkpoint. I can wait, but eager to know why it is not working is all. 😄

Shay_Hibah · ‎2020-03-10

Hi @sanchez

My name is Shay and I will try to help you with this case.

A bit information about Log Exporter files:

Under log_exporter main directory ($EXPORTERDIR) you will find conf dir where all configuration files exist.

This files are the default files and should not being changed at all.

The reason is because these files are copied to every new log exporter instance you create.

Once a new log exporter instance is created, a new dir for this exporter is created under $EXPORTERDIR/targets/<exporter_name>.

For each exporter instance, you can find conf directory where all configuration files are copied to (the default files).

Any change should be done on these files (the relevant files) in this specific scope.

Now to your issue 🙂

You want to change the mapping of your exporter in order to add 3 more fields.

Since you are using CEF format, go to your exporter's conf directory ($EXPORTERDIR/targets/<exporter_name>/conf) and look for file named CefFieldsMapping.xml.

Backup this file before any changes.

Modify this file by adding the new 3 fields (make sure to add them under <fields> tag):

<field><origName>src</origName><dstName>cef_src</dstName></field>

<field><origName>rt</origName><dstName>log_ts</dstName></field>

<field><origName>dst</origName><dstName>cef_dst</dstName></field>

I'm not sure about rt since rt is already dstName of time field. in case you need to map it, you should do this using time field (an example can be seen on the file itself).

After these changes, you need to restart the exporter in order to reload this configuration by running cp_log_export restart name <exporter_name>

Please let me know if you need any additional help.

Regards,

Shay

Are you a member of CheckMates?

Customized Cef mapping