An event policy(see below) configured to update the userattribute6 with an extract of
an alert message and localhost does not work when deployed to the Nimsoft connector.
The same policy works when deployed to the UC or MTC connector.
<Catalog version='1.0'>
<EventClass name='Alert'>
<Classify>
<Field input='Summary' output='eventtype' outval='SOX_UIM_User' pattern='^.*4625.*$' />
</Classify>
</EventClass>
<EventClass name='SOX_UIM_User' extends='Alert'>
<Parse>
<Field output='temp_parse_userAttribute60' pattern='^[^*]+(.*0Account\sName:.*Account).*.*' input='Message' />
</Parse>
<Format>
<Field conditional='temp_parse_userAttribute60' output='userAttribute6' format='{1}|{0}' input='{localhost},temp_parse_userAttribute60' />
<Field conditional='!MdrProduct' output='MdrProduct' format='{0}' input='AlertedMdrProduct' />
<Field conditional='!MdrProdInstance' output='MdrProdInstance' format='{0}' input='AlertedMdrProdInstance' />
<Field output='ClassName' format='Alert' input='' />
</Format>
</EventClass>
</Catalog>
UIM connector provides variables as "summary" and "message" and not Summary and Message
1) Open the policy file in the ..\extensions folder on the UIM connector machine and change "Summary" to "summary" and "Message" to "message"
2) Stop Catalyst Container service
3) Start Catalyst Container service