type udp port 2224 bind 0.0.0.0 tag oms.api.JuniperIDP format /\<(?[0-9]{1,3})\>[1-9]\d{0,2} (?[^ ]+) (?[!-~]{1,255}) (?[!-~]{1,48}) (?[!-~]{1,128}) (?[!-~]{1,32}) (?(?:\-|(?:\[.*?(?.+))?\z/ type record_transformer enable_ruby remove_keys extradata dvc_os ${record["extradata"].scan(/^\[(junos\S+)/).flatten.compact[0]} event_end_time ${record["extradata"].scan(/.*epoch-time="(\S+)"/).flatten.compact[0]} message-type ${record["extradata"].scan(/.*message-type="(\S+)"/).flatten.compact[0]} source-address ${record["extradata"].scan(/.*source-address="(\S+)"/).flatten.compact[0]} destination-address ${record["extradata"].scan(/.*destination-address="(\S+)"/).flatten.compact[0]} destination-port ${record["extradata"].scan(/.*destination-port="(\S+)"/).flatten.compact[0]} protocol-name ${record["extradata"].scan(/.*protocol-name="(\S+)"/).flatten.compact[0]} service-name ${record["extradata"].scan(/.*service-name="(\S+)"/).flatten.compact[0]} application-name ${record["extradata"].scan(/.*application-name="(\S+)"/).flatten.compact[0]} rule-name ${record["extradata"].scan(/.*rule-name="(\S+)"/).flatten.compact[0]} rulebase-name ${record["extradata"].scan(/.*rulebase-name="(\S+)"/).flatten.compact[0]} policy-name ${record["extradata"].scan(/.*policy-name="(\S+)"/).flatten.compact[0]} export-id ${record["extradata"].scan(/.*export-id="(\S+)"/).flatten.compact[0]} repeat-count ${record["extradata"].scan(/.*repeat-count="(\S+)"/).flatten.compact[0]} action ${record["extradata"].scan(/.*action="(\S+)"/).flatten.compact[0]} threat-severity ${record["extradata"].scan(/.*threat-severity="(\S+)"/).flatten.compact[0]} attack-name ${record["extradata"].scan(/.*attack-name="(\S+)"/).flatten.compact[0]} nat-source-address ${record["extradata"].scan(/.*nat-source-address="(\S+)"/).flatten.compact[0]} nat-source-port ${record["extradata"].scan(/.*nat-source-port="(\S+)"/).flatten.compact[0]} nat-destination-address ${record["extradata"].scan(/.*nat-destination-address="(\S+)"/).flatten.compact[0]} nat-destination-port ${record["extradata"].scan(/.*nat-destination-port="(\S+)"/).flatten.compact[0]} elapsed-time ${record["extradata"].scan(/.*elapsed-time="(\S+)"/).flatten.compact[0]} inbound-bytes ${record["extradata"].scan(/.*inbound-bytes="(\S+)"/).flatten.compact[0]} outbound-bytes ${record["extradata"].scan(/.*outbound-bytes="(\S+)"/).flatten.compact[0]} inbound-packets ${record["extradata"].scan(/.*inbound-packets="(\S+)"/).flatten.compact[0]} outbound-packets ${record["extradata"].scan(/.*outbound-packets="(\S+)"/).flatten.compact[0]} source-zone-name ${record["extradata"].scan(/.*source-zone-name="(\S+)"/).flatten.compact[0]} source-interface-name ${record["extradata"].scan(/.*source-interface-name="(\S+)"/).flatten.compact[0]} destination-zone-name ${record["extradata"].scan(/.*destination-zone-name="(\S+)"/).flatten.compact[0]} destination-interface-name ${record["extradata"].scan(/.*destination-interface-name="(\S+)"/).flatten.compact[0]} packet-log-id ${record["extradata"].scan(/.*packet-log-id="(\S+)"/).flatten.compact[0]} alert ${record["extradata"].scan(/.*alert="(\S+)"/).flatten.compact[0]} username ${record["extradata"].scan(/.*username="(\S+)"/).flatten.compact[0]} roles ${record["extradata"].scan(/.*roles="(\S+)"/).flatten.compact[0]} msg ${record["extradata"].scan(/.*message="(\S+)"/).flatten.compact[0]} type out_oms_api log_level info num_threads 5 omsadmin_conf_path /etc/opt/microsoft/omsagent//conf/omsadmin.conf cert_path /etc/opt/microsoft/omsagent//certs/oms.crt key_path /etc/opt/microsoft/omsagent//certs/oms.key buffer_chunk_limit 10m buffer_type file buffer_path /var/opt/microsoft/omsagent//state/out_oms_api_corelight*.buffer buffer_queue_limit 10 buffer_queue_full_action drop_oldest_chunk flush_interval 30s retry_limit 10 retry_wait 30s max_retry_wait 9m