Map File(s) Fail

We've installed and configured the Symantec Endpoint Protection DB smart connector.

We've also "Map'd an Additional Data Name", (Mappings for Symantec\Endpoint_Protection:GROUP_ID=>flexString1), which we've confirmed is working. This populates the string "9C39DE190AC40F1C009D3F5ACBB02B19" in the field flexString1.

However, we're also trying to add two map files to D:\ArcSightSmartConnectors\NADTC3-CONW007-SEP1\current\user\agent\map:

map.0.properties:

set.event.customerURI

/All Customers/CompanyName

map.1.properties:

!Flags,Overwrite

event.flexString1,set.event.customerURI

9C39DE190AC40F1C009D3F5ACBB02B19,/All Customers/CompanyName - Division

Even-though we've tried numerous combinations in the map file(s), we have been unable to have the value in flexString1, 9C39DE190AC40F1C009D3F5ACBB02B19,  map to "/All Customers/CompanyName - Division" and populate the value "/All Customers/CompanyName - Division" into the "customerURI" field whenever the string "9C39DE190AC40F1C009D3F5ACBB02B19" is encountered by the flexstring1 field..

The "map.0.properties" file is working and populating the value "/All Customers/CompanyName" in the field "customerURI". But the "map.1.properties" file is not working and is leaving the value "/All Customers/CompanyName" that was populated in the "customerURI" field by map.0.properties. So it appears that map.1.properties is being ignored.

Does anyone have any ideas on what we're doing wrong here?

Parents
  • Verified Answer

    We have resolved our issue via parser overrides:

    For the Symantec Endpoint smart connector, we constructed the same parser override for each of the log types (IDs) that the connector retrieves logs from (agent, agent-behavior, agent-security, agent-traffic, alerts, scans, server, server-admin, server-policy, and virus-category). We used the same parser override file for each of these log types (IDs):

    12_x.sdkibdatabase.properties:

    token.count=1

    token[0].name=GROUP_ID

    token[0].type=String

    event.flexString1=GROUP_ID

    This populates the GROUP_ID into the ArcSight field, "flexString1" _before_ the map files are processed.

    This file is saved in folders which represent each of the log types (IDs) (\agent, \agent-behavior, \agent-security, \agent-traffic, \alerts, \scans, \server, \server-admin, \server-policy, and \virus-category)

    Then these folders, each with the same parser override file (12_x.sdkibdatabase.properties) contained in each of them, are saved to \symantecendpointprotection_db. Finally, "\symantecendpointprotection_db" is saved under "\current\user\agent\fcp".

    example: \current\user\agent\fcp\symantecendpointprotection_db\agent\12_x.sdkibdatabase.properties

    The map files, we used before, still remain under \current\user\agent\map and work with these parser overrides.

    Hopefully this benefits others who are trying to separate a single instance of Symantec Endpoint Protection logs into different ArcSight "Companies" based-on the group ids created in Symantec.

Reply
  • Verified Answer

    We have resolved our issue via parser overrides:

    For the Symantec Endpoint smart connector, we constructed the same parser override for each of the log types (IDs) that the connector retrieves logs from (agent, agent-behavior, agent-security, agent-traffic, alerts, scans, server, server-admin, server-policy, and virus-category). We used the same parser override file for each of these log types (IDs):

    12_x.sdkibdatabase.properties:

    token.count=1

    token[0].name=GROUP_ID

    token[0].type=String

    event.flexString1=GROUP_ID

    This populates the GROUP_ID into the ArcSight field, "flexString1" _before_ the map files are processed.

    This file is saved in folders which represent each of the log types (IDs) (\agent, \agent-behavior, \agent-security, \agent-traffic, \alerts, \scans, \server, \server-admin, \server-policy, and \virus-category)

    Then these folders, each with the same parser override file (12_x.sdkibdatabase.properties) contained in each of them, are saved to \symantecendpointprotection_db. Finally, "\symantecendpointprotection_db" is saved under "\current\user\agent\fcp".

    example: \current\user\agent\fcp\symantecendpointprotection_db\agent\12_x.sdkibdatabase.properties

    The map files, we used before, still remain under \current\user\agent\map and work with these parser overrides.

    Hopefully this benefits others who are trying to separate a single instance of Symantec Endpoint Protection logs into different ArcSight "Companies" based-on the group ids created in Symantec.

Children
No Data