Benefits of adding Field Resolvers in Logging Profile elements

Field Resolvers convert values in incoming syslog fields to different values in SMC logs.

There are two types of Fields Resolvers: multi-value field resolvers and date field resolvers.

Multi-valued field resolvers

You can use multi-valued field resolvers in the following case:

To convert one value to several log fields — In some cases, a single value can have several corresponding log fields in SMC logs. A Field Resolver can parse a single value into multiple SMC log fields. For example, SMC components set an Action, a Situation, and an Event for traffic filtering decisions. If the external component notifies a “permitted” action, the Field Resolver can set the corresponding SMC log values for all 3 log fields.

Note: You can also use multi-value field resolvers if the log data has a pre-set range of values on the external devices and in the SMC. However, the possible values are different. For example, you can map a range of alert severities in the original data to similar alert severities in SMC logs (Info/Low/High/Critical).

Date field resolvers

You can use date field resolvers in the following case:

Converting time stamps — Different external devices use different date and time formats. A Field Resolver for each different incoming format maps the times and dates correctly to the SMC log format. The date and time syntax in Field Resolvers follows the Java standard.