NAM 4.5 - ArcSight Integration (Logging)

Here the steps to integrate with ArcSight ESM and Logger.

  • NOTES
  • Auditing (ALL)
  • Auditing (ArcSight)
    • NAM Administration Console
    • Auditing: JSON
      • Click Auditing > Syslog (Send to Third Party)
      • Server Listening Address > ArcSight Logger or Syslog SmartConnector
      • Management Console Audit Events
        • Select All but "Server Statistics" (002e0606 = Noisy)
  • ArcSight SmartConnector (Syslog Daemon)
    • NOTES
      • Required for ArcSight ESM but not for ArcSight Logger (Parser for connector only)
      • Connector can send to both ESM and Logger to ensure properly parsed CEF events
      • Parser is "unofficial"
    • Install following PDF
      • https://community.microfocus.com/t5/ArcSight-Connectors/ct-p/ConnectorsDocs
    • Parser (Syslog subagent and keyvalue)
      • Copy to <ARST>/current/user/agent/flexagent/syslog/
      • nam.subagent.sdkrfilereader.properties
      • nam-results.sdkkeyvaluefilereader.properties
    • Fields
      • deviceVendor=MicroFocus
      • deviceProduct=Access Manager
      • deviceProcessName=appName
      • deviceReceiptTime=timeStamp
      • destinationHostName=subTarget
      • name=description / Description)
      • message=message / Message)
      • deviceFacility=originator / Originator
      • deviceEventClassId=eventId
      • deviceCustomString1=stringValue1
      • deviceCustomString2=stringValue2
      • deviceCustomString3=stringValue3
      • deviceCustomString4=component / Component
      • deviceCustomString5=target / Target
      • deviceCustomString6=data / Data
      • deviceCustomNumber1=numericValue1
      • deviceCustomNumber2=numericValue2
      • deviceCustomNumber3=numericValue3
  • ArcSight Logger Only
    • NOTES
      • No Connector / Parser
      • Raw JSON events
    • Configuration > Receivers > Add
    • TCP Receiver
    • TCP 1468
    • Example Queries
      • receiver = "NAM" | rex "<\d >(\w \s*\d \s*\d :\d :\d )\s*(?<DeviceHost>\S )\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":(?<stringValue1>.*?)\,\"stringValue2\":(?<stringValue2>.*?)\,\"stringValue3\":(?<stringValue3>.*?)\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,(?<CATCHALL>.*?)\}"
      • receiver = "NAM"  and NOT "002E0601" | rex "<\d >(\w \s*\d \s*\d :\d :\d )\s*(?<DeviceHost>\S )\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":\"(?<stringValue1>.*?)\"\,\"stringValue2\":\"(?<stringValue2>.*?)\"\,\"stringValue3\":\"(?<stringValue3>.*?)\"\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,\"description\":\"(?<description>.*?)\"\,\"message\":\".*?AMDEVICEID#.*?:\s*(?<message>.*?)\".*?\}" | top eventId stringValue1 stringValue2 stringValue3 message
      • (receiver = "NAM" ) and "NIDS:" | rex "<\d >(\w \s*\d \s*\d :\d :\d )\s*(?<DeviceHost>\S )\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":(?<stringValue1>.*?)\,\"stringValue2\":(?<stringValue2>.*?)\,\"stringValue3\":(?<stringValue3>.*?)\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,\"description\":\"(?<description>.*?)\"\,\"message\":\".*?AMDEVICEID#.*?:\s*(?<message>.*?)\".*?\}" | top eventId description stringValue1 stringValue2 stringValue3 message
      • (receiver = "NAM" ) and NOT "NIDS:" and NOT "002E0601" | rex "<\d >(\w \s*\d \s*\d :\d :\d )\s*(?<DeviceHost>\S )\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":(?<stringValue1>.*?)\,\"stringValue2\":(?<stringValue2>.*?)\,\"stringValue3\":(?<stringValue3>.*?)\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,\"description\":\"(?<description>.*?)\"\,\"message\":\".*?AMDEVICEID#.*?:\s*(?<message>.*?)\".*?\}" | top eventId description stringValue1 stringValue2 stringValue3 message