After doing some digging, I discovered the following:
ArcSight Logger stores a Mac Address as a Decimal Integer in it's Database. Thus:
- Default Formatting: 00:0B:86:CD:85:C2
- Becomes an Int: 49506256322
You can try converting with an online converter tool (but you'll have to remove the colons).
The problem I am having: using a Mac address as a user-defined parameter for a query/report.
Everything works OK if you use only raw decimal integers. However, once you introduce colons and the like, it seems to fail. I have set my parameter field:
Data Type: NUMBER
However, when I run the report or query with a mac address know to have generated an event (verified with other queries/reports), I get nothing. I think ArcSight may be stumbling on the colons or some other form of the formatting.
My question is: Does anyone have experience with how ArcSight handles the conversion between a default-formatted mac address and the decimal int?