can you please provide the ovverride ?
This issue has been told to get fixed in the 7.2.1 release yet, but I see that even the 7.2.3 does not have the fix for it.
Yes version 22.214.171.12489 have some issue even though it says supported, at our end it was fixed after HP support provided a parser override.
please check the latest Smartconnector v7.2.4 I see some parsing issue fixed update in the release notes.
If still no solution then you can approach to get an override for your Smartconnector.
Does anyone found a solution for this?
Upgraded the connector to the most latest version (i.e. 126.96.36.19989.0) since the Pulse Secure is officially supported by ArcSight.
However, the logs are not getting parsed. Device vendor/product still shows as Unix/Unix. Sample entries as follows;
Device Vendor : Unix
Device Product : Unix
Device Process Name : PulseSecure
Device Custom String1.Module : PulseSecure
Name : 2016-07-03 11:32:12 - HostName - [127.0.0.1] System() - Removed expired user sessions from mail cache. Number of cached sessions before cleanup: 0. Number of sessions after cleanup: 0.
Please share if any of you got a solution for this. Thanks.
FYI, we've introduced a new connector, Pulse Secure Pulse Connect Secure Syslog, which supports version 8.1 of the renamed product.
That said, for the problem you're having with vendor and product being populated as unix, it would be helpful if you could supply logs for development to work with to rectify this problem.
I have upgraded the syslog connector that receives events from Juniper Pulse Secure Access 8.1r5 to 7.2.1 but in ESm I still see Device Vendor/Device Product as Unix/Unix while according to the event mapping it should be Juniper/PulseSecure.
Is there any custom configuration needed either on Juniper or on Arcsight side to correct the above?
Thanks and regards,
The events' Vendor/Product from Juniper PulseSecure version 8.1r5 are shown as Unix/Unix instead of Juniper/PulseSecure in ESM/Logger.
This is due to the pact that the headers have been changed. There is an FR in place for this bug, but until the fix is released, does anyone have an idea what workaround could solve to have the events shown as Juniper/PulseSecure ?
Considering the fact that not only JuniperSSL devices are feeding the particular connector, putting a subparser in place may end up in showing non-juniper devices shown as Juniper/PulseSecure.
Does anyone have any idea on this?