VMware
The JSA VMware content extension adds new custom event properties for VMware.
The following table shows the custom properties in the JSA VMware V1.0.0 content extension.
Table 1: Custom Properties in VMware V1.0.0 Content Extension
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
Filename | Yes | 1 | \](?:[^\/]*?\/)*?([^\/\']*?)' was msg=Deletion of file or directory\s.*(?:\\|\/)(.*?)\sfrom fileName=([^\t]+)[\t]* |
Machine ID | Yes | 1 | Warning message on\s(.*?)\son msg=.*?\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s msg=Message on\s(.*?)\son msg=(.*?)\son Permission created for\s\w+\son\s([^,]+) Permission rule removed for\s\w+\son\s(.*)$ msg=Reconfigured\s(.*?)\son machine\s(.*?)\son Permission created for .*? on (.*?), msg=Removed\s(.*?)\son |
Role Name | Yes | 1 | role is\s([^,]+) from.*to '(.*?)' |
Target User Name | Yes | 1 | msg=Account\s+(.*?)\s+was Permission rule removed for\s(\w+) Permission created for\s(\w+) Permission created for (.*?) on |
TaskName | No | 1 | Task\sCreated\s:.*?(\w+\.\w+)-\d+ Task\sCompleted\s:.*?(\w+\.\w+)-\d+ |
User Agent | No | 1 | user agent:\s(.*)$ logged in as\s(.*)$ initiated\sfrom\s\'(.*?)@ |