Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
112 views

NAM 4.5 - ArcSight Integration (Logging)

Here the steps to integrate with ArcSight ESM and Logger.

  • NOTES
  • Auditing (ALL)
  • Auditing (ArcSight)
    • NAM Administration Console
    • Auditing: JSON
      • Click Auditing > Syslog (Send to Third Party)
      • Server Listening Address > ArcSight Logger or Syslog SmartConnector
      • Management Console Audit Events
        • Select All but "Server Statistics" (002e0606 = Noisy)
  • ArcSight SmartConnector (Syslog Daemon)
    • NOTES
      • Required for ArcSight ESM but not for ArcSight Logger (Parser for connector only)
      • Connector can send to both ESM and Logger to ensure properly parsed CEF events
      • Parser is "unofficial"
    • Install following PDF
    • Parser (Syslog subagent and keyvalue)
      • Copy to <ARST>/current/user/agent/flexagent/syslog/
      • nam.subagent.sdkrfilereader.properties
      • nam-results.sdkkeyvaluefilereader.properties
    • Fields
      • deviceVendor=MicroFocus
      • deviceProduct=Access Manager
      • deviceProcessName=appName
      • deviceReceiptTime=timeStamp
      • destinationHostName=subTarget
      • name=description / Description)
      • message=message / Message)
      • deviceFacility=originator / Originator
      • deviceEventClassId=eventId
      • deviceCustomString1=stringValue1
      • deviceCustomString2=stringValue2
      • deviceCustomString3=stringValue3
      • deviceCustomString4=component / Component
      • deviceCustomString5=target / Target
      • deviceCustomString6=data / Data
      • deviceCustomNumber1=numericValue1
      • deviceCustomNumber2=numericValue2
      • deviceCustomNumber3=numericValue3
  • ArcSight Logger Only
    • NOTES
      • No Connector / Parser
      • Raw JSON events
    • Configuration > Receivers > Add
    • TCP Receiver
    • TCP 1468
    • Example Queries
      • receiver = "NAM" | rex "<\d+>(\w+\s*\d+\s*\d+:\d+:\d+)\s*(?<DeviceHost>\S+)\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":(?<stringValue1>.*?)\,\"stringValue2\":(?<stringValue2>.*?)\,\"stringValue3\":(?<stringValue3>.*?)\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,(?<CATCHALL>.*?)\}"
      • receiver = "NAM"  and NOT "002E0601" | rex "<\d+>(\w+\s*\d+\s*\d+:\d+:\d+)\s*(?<DeviceHost>\S+)\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":\"(?<stringValue1>.*?)\"\,\"stringValue2\":\"(?<stringValue2>.*?)\"\,\"stringValue3\":\"(?<stringValue3>.*?)\"\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,\"description\":\"(?<description>.*?)\"\,\"message\":\".*?AMDEVICEID#.*?:\s*(?<message>.*?)\".*?\}" | top eventId stringValue1 stringValue2 stringValue3 message
      • (receiver = "NAM" ) and "NIDS:" | rex "<\d+>(\w+\s*\d+\s*\d+:\d+:\d+)\s*(?<DeviceHost>\S+)\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":(?<stringValue1>.*?)\,\"stringValue2\":(?<stringValue2>.*?)\,\"stringValue3\":(?<stringValue3>.*?)\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,\"description\":\"(?<description>.*?)\"\,\"message\":\".*?AMDEVICEID#.*?:\s*(?<message>.*?)\".*?\}" | top eventId description stringValue1 stringValue2 stringValue3 message
      • (receiver = "NAM" ) and NOT "NIDS:" and NOT "002E0601" | rex "<\d+>(\w+\s*\d+\s*\d+:\d+:\d+)\s*(?<DeviceHost>\S+)\s*\{\"appName\":\"(?<appName>.*?)\"\,.*?\"eventId\":\"(?<eventId>.*?)\"\,\"subTarget\":(?<subTarget>.*?)\,\"stringValue1\":(?<stringValue1>.*?)\,\"stringValue2\":(?<stringValue2>.*?)\,\"stringValue3\":(?<stringValue3>.*?)\,\"numericValue1\":(?<numericValue1>.*?)\,\"numericValue2\":(?<numericValue2>.*?)\,\"numericValue3\":(?<numericValue3>.*?)\,\"description\":\"(?<description>.*?)\"\,\"message\":\".*?AMDEVICEID#.*?:\s*(?<message>.*?)\".*?\}" | top eventId description stringValue1 stringValue2 stringValue3 message
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.