Event Stitching
Sometimes multiple logs are needed to build an event, meaning all the data needed for a single event are spread out over multiple logs. Event stitching allows the event builder to extract all the relevant pieces of information from different parsed logs and create a single event. Different parsers extract information from the relevant logs detailing different pieces of the same logical activity, for example a vpn login, to create a single event.
Two types of event builders can be used to combine information from multiple messages to a single event:
VariableMessageMultiEventTracker – Used to combine information from a variable number of messages into a single event.
ContivityMultiEventTracker – Used to combine information from exactly two messages into a single event. Here is an example Postfix email event builder:
postfix-email-in = { input-message = [ ### for 'ContivityMultiEventTracker' ebuilders there should only be two objects in this field array, as 'ContivityMultiEventTracker' uses exactly two messages { expression = "type = 's-postfix-dlp-email'" ### the expression that contains what parser to catch and other logical expression as the conditions. output-fields = "msg_id,src_ip,src_host,sender,recipients,recipient,host,subject" ### fields to keep from the parsed message that will be apart of the event type = s-postfix-dlp-email ### a name given to this specific message extraction }, { expression = "type = 's-postfix-dlp-email-1'" output-fields = "dest_ip,dest_host" type = s-postfix-dlp-email-1 } ] key-fields = "msg_id" ### the field that ties together the two messages and should be present in both parsed messages name = postfix-email-in ### the name of the event builder, same as the hocon block name output-type = dlp-email-alert-in ### event-type source = Postfix ### product name tracker = ContivityMultiEventTracker #### special type of event builder, other value for tracker is 'VariableMessageMultiEventTracker' vendor = Postfix ### vendor name }