Pre-persistence rule to populate DestinationAddress field

I have an event source which under a set of conditions doesn't populate the Destination Host nor the Destination Address.   It does however populate the DeviceCustomString5 field with the value I'm looking for. 

I tried to create a pre-persistence rule which would use a variable to convert DeviceCustomString5 to an IP address, then assign it to the DestinationAddress field.  The UI doesn't allow me to set the value, which makes be believe that I'm attempting something impossible.

Can you set the value of DestinationAddress or even TargetAddress to values such as DeviceCustomString5 using pre-persistence rules?

I can't find any clear list of what's possible and what's not in the documentation.

Thanks,

  • If you are certain it is an IP address, I usually pull a trick using velocity on a rule action.

    On the rule action, make sure to Set Field destination address = $deviceCustomString5

    Make sure to add device custom string 5 to the aggregation tab.

    Another question is why would you not use a map file to do what you want at the smartconnector and avoid this?

  • Keep in mind that you are trying to put a "string" into an "address" field, so you will likely need to do some local variable conversion to change from string to address.

    You could also consider doing a parser override at the connector level to populate destinationAddress with the value.

  • I'm not sure if it can be done with map files.  Is it possible to use a map file to set a dynamic value?  And can that be done conditionally?

    The prepersistence rule can very easily trigger on a condition and set the value.

    If I understand prepersistence correctly, if I tried to use regular rules with velocity templates, then the result won't be captured by the rules which follow.

  • Thanks for the heads up on variable conversion, I was sure to give that a try before posting.   I tried setting the hostname to the IP string just in case prepersistance had a problem with conversion... no go.

    I think parser override might be the right way to do it.

    I found a workaround to the problem by assigning the Source address to the Destination address (for this particular type of event, the Source Address has the correct value, so this worked...)

    The method *should* still work I think.  I've opened a ticket with HP, I'll followup on this thread if they have a solution.   The UI (in ESM 6.5 Linux client) behaves a bit unusually, I can select the variable from the list, but it will not allow me to click OK or save.   Setting the field to a different value works, but I can't work with DeviceCustomString5 or a heap of other fields.

    I'm not sure if the UI is broken, or if it is trying to tell me that maybe certain events aren't available in prepersistence.

  • I would suggest to use map files on the connector level to achieve this.

    Just try to enter the values in this format:

    event.deviceCustomString5,set.event.deviceAddress

    10.1.0.1,10.1.0.1

    What are the values in your deviceCustomString5 field ? Is it hostname or IP Address.

  • @Mike Kallies

    I have also attached a documentation on how to create map files.

    Regards,

    Anirudh

  • It's a string of an IP address.

    Is there a way to use map files without knowing all the possible addresses in advance?

    e.g.,

    event.deviceCustomString5,set.event.deviceAddress

    10.1.0.1,10.1.0.1

    10.1.0.2,10.1.0.2

    10.1.0.3,10.1.0.3

    ...

  • Actually, you do not need a conversion. ArcSight does this fine everytime.

  • Hello Mike,

    try the following in the map file , but the smartconnector must be at least version 7.0.4

    set.expr(deviceCustomString1).event.sourceAddress

    deviceCustomString1

    let me know if it works for you.