type udp
port 2224
bind 0.0.0.0
tag oms.api.JuniperIDP
format /\<(?[0-9]{1,3})\>[1-9]\d{0,2} (?
type record_transformer
enable_ruby
remove_keys extradata
dvc_os ${record["extradata"].scan(/^\[(junos\S+)/).flatten.compact[0]}
event_end_time ${record["extradata"].scan(/.*epoch-time="(\S+)"/).flatten.compact[0]}
message-type ${record["extradata"].scan(/.*message-type="(\S+)"/).flatten.compact[0]}
source-address ${record["extradata"].scan(/.*source-address="(\S+)"/).flatten.compact[0]}
destination-address ${record["extradata"].scan(/.*destination-address="(\S+)"/).flatten.compact[0]}
destination-port ${record["extradata"].scan(/.*destination-port="(\S+)"/).flatten.compact[0]}
protocol-name ${record["extradata"].scan(/.*protocol-name="(\S+)"/).flatten.compact[0]}
service-name ${record["extradata"].scan(/.*service-name="(\S+)"/).flatten.compact[0]}
application-name ${record["extradata"].scan(/.*application-name="(\S+)"/).flatten.compact[0]}
rule-name ${record["extradata"].scan(/.*rule-name="(\S+)"/).flatten.compact[0]}
rulebase-name ${record["extradata"].scan(/.*rulebase-name="(\S+)"/).flatten.compact[0]}
policy-name ${record["extradata"].scan(/.*policy-name="(\S+)"/).flatten.compact[0]}
export-id ${record["extradata"].scan(/.*export-id="(\S+)"/).flatten.compact[0]}
repeat-count ${record["extradata"].scan(/.*repeat-count="(\S+)"/).flatten.compact[0]}
action ${record["extradata"].scan(/.*action="(\S+)"/).flatten.compact[0]}
threat-severity ${record["extradata"].scan(/.*threat-severity="(\S+)"/).flatten.compact[0]}
attack-name ${record["extradata"].scan(/.*attack-name="(\S+)"/).flatten.compact[0]}
nat-source-address ${record["extradata"].scan(/.*nat-source-address="(\S+)"/).flatten.compact[0]}
nat-source-port ${record["extradata"].scan(/.*nat-source-port="(\S+)"/).flatten.compact[0]}
nat-destination-address ${record["extradata"].scan(/.*nat-destination-address="(\S+)"/).flatten.compact[0]}
nat-destination-port ${record["extradata"].scan(/.*nat-destination-port="(\S+)"/).flatten.compact[0]}
elapsed-time ${record["extradata"].scan(/.*elapsed-time="(\S+)"/).flatten.compact[0]}
inbound-bytes ${record["extradata"].scan(/.*inbound-bytes="(\S+)"/).flatten.compact[0]}
outbound-bytes ${record["extradata"].scan(/.*outbound-bytes="(\S+)"/).flatten.compact[0]}
inbound-packets ${record["extradata"].scan(/.*inbound-packets="(\S+)"/).flatten.compact[0]}
outbound-packets ${record["extradata"].scan(/.*outbound-packets="(\S+)"/).flatten.compact[0]}
source-zone-name ${record["extradata"].scan(/.*source-zone-name="(\S+)"/).flatten.compact[0]}
source-interface-name ${record["extradata"].scan(/.*source-interface-name="(\S+)"/).flatten.compact[0]}
destination-zone-name ${record["extradata"].scan(/.*destination-zone-name="(\S+)"/).flatten.compact[0]}
destination-interface-name ${record["extradata"].scan(/.*destination-interface-name="(\S+)"/).flatten.compact[0]}
packet-log-id ${record["extradata"].scan(/.*packet-log-id="(\S+)"/).flatten.compact[0]}
alert ${record["extradata"].scan(/.*alert="(\S+)"/).flatten.compact[0]}
username ${record["extradata"].scan(/.*username="(\S+)"/).flatten.compact[0]}
roles ${record["extradata"].scan(/.*roles="(\S+)"/).flatten.compact[0]}
msg ${record["extradata"].scan(/.*message="(\S+)"/).flatten.compact[0]}
type out_oms_api
log_level info
num_threads 5
omsadmin_conf_path /etc/opt/microsoft/omsagent//conf/omsadmin.conf
cert_path /etc/opt/microsoft/omsagent//certs/oms.crt
key_path /etc/opt/microsoft/omsagent//certs/oms.key
buffer_chunk_limit 10m
buffer_type file
buffer_path /var/opt/microsoft/omsagent//state/out_oms_api_corelight*.buffer
buffer_queue_limit 10
buffer_queue_full_action drop_oldest_chunk
flush_interval 30s
retry_limit 10
retry_wait 30s
max_retry_wait 9m