We created a parser for an ESM that is sending correlated events to a syslog forwarder, and then our master ESM is getting those forwarded events. Currently we are able to parse out the pertinent data, but when you look at the dashboard instead of seeing the event ID like you would normally see, you just see SYSLOG-NG. The event ID is visible in the log but I cant edit Rule_Message in the Field Assignment. Has anyone worked with anything like this before?
you can see in this screenshot we have parsed out the Signature ID, what I would like to do is have that field listed as the Events Rule Name instead of Syslog_NG_ESM
Personally I would rather have the text in "Message_Text". In your parsing rule, map the text to "Signature Description" instead of "Client_Signature".
You can make the mapping that includes both like this:
That will list the text from fields 1:2 and 1:4 with a space between them.