Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
aquillius.t@net Super Contributor.
Super Contributor.
1776 views

Arbor parsing issue

Jump to solution

Hi,

 

We have created a syslog connector for Arbor and we receive the logs but the source address and destination address with their ports are not showing on the on their own fields. The can be seen n the Message field through. Is there a way that I could map the Message field to the source and destination address fields as well as filter to have the right info.

 

Thanks!

Aqui

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Zko,

I have manage to resolve the issue. Below are the steps that I did:

1. edited the agent.properties file and made the customsubagentlist = true.

2. renamed the sdk file to arbor_aps.subagent.sdkrfilereader.properties

3. restarted the smartconnector

Kudos to you! Thank you very much!

Regards,

Aqui

0 Likes
17 Replies
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Arbor parsing issue

Jump to solution

Hello,

1) SmartConnector for Arbor Networks Peakflow Syslog:
https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Arbor-Networks-Peakflow-Syslog/ta-p/1588601?nm

Note: Arbor Networks Peakflow SP 5.0, 5.5, 5.6, 5.7, 6.0, and 7.5 are supported.

2) Please confirm that you are on supported version of product, because if you are not then parsing issues are expected.

3) If you are on supported version please create Service Request and if issue is replicated by using sample event then Parsing BUG can be created with Developers to fix the issue in upcoming parser updates.

4) Please prepare following for Service Request:
a) SmartConnector logs:
<connector_home>/current/logs
<connector_home>/current/user/agent
b) SmartConnector host OS
c) Arbor version
d) Export from ESM Active Channel while RAW event is enabled (export with all columns):
https://softwaresupport.softwaregrp.com/km/KM1270081

Regards,

Marijo

0 Likes
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Marijo,

The Arbor version is 5.11.0. Does it mean that this is not supported? 

If not supported, then how can I resolve the parsing issues?

Thanks,

Aqui

 

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Arbor parsing issue

Jump to solution

Hello Aqui,

1) If product is not supported Out-Of-The-Box it usually means that regex will not match event correctly and therefore parsing will be wrong or it will not work at all.
2) Your options are following:
a) Upgrade of Arbor to version that is supported Out-Of-The-Box
- you can upgrade Arbor to version that is supported by SmartConnector and then see if you have parsing issue
- if you still have parsing issue then this would qualify as Parsing BUG and can be reported via Service Request to be fixed in future parser updates
b) Create Service Request and request Feature Request for support of your specific Arbor version
- there is not ETA for this
- there is no guarantee that this will be supported
- also higher versions are supported so it decreases chances of backward compatibility import
c) Make your own parser using the FlexConnector guide:
- ArcSight FlexConnector Developer's Guide
https://community.softwaregrp.com/t5/ArcSight-Connectors/HPE-ArcSight-FlexConnector-Developer-s-Guide/ta-p/1584874?nm

Regards,

Marijo

0 Likes
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Marijo,

I missed a very important info. The Arbor that we have is Arbor Pravail System and not Peakflow. But the logs on ArcSight returns that it is Peakflow. I think there's really a problem with the parsing of ArcSight.

Does ArcSight supports Arbor Pravail System? particularly version 5.11.0.

Thanks,

Aqui

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Arbor parsing issue

Jump to solution

Hello Aqui,

I am not Arbor product expert and therefore will not be able to answer your question.

What you can do is to make inquiry with Arbor support and ask:
a) What is the difference between -> Arbor Networks Peakflow vs Arbor Pravail System
b) Are the Syslog events the same format (SmartConnector works on regex basis so it matches events and if events are same format it would not really matter what is the source)

Regards,

Marijo

0 Likes
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Marijo,

I have read some pages regarding issues encoutered and it seems like ArcSight doesn't support Arbor Pravail System. I need to make a FlexConnector in order for to solve the parsing issue.

Thanks for your help anyway!

Cheers,

Aqui

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Arbor parsing issue

Jump to solution

Hello Aqui,

thank you for the follow up, I am glad that you managed to clarify the issue.

Regards,

Marijo

0 Likes
zko Regular Contributor.
Regular Contributor.

Re: Arbor parsing issue

Jump to solution

This is a custom one (tested on earlier versions, but should work basically). Maybe you can expand it

This is for Arbor APS product

Place it in $smartconnectorpath/current/user/agent/flexagent/syslog/ to use and restart connector(syslog daemon)

aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Zkoletsis,

Thanks for this! May I just ask, did you make a FlexConnector for this? Or you just inserted the skdfilereader on folder path of Syslog SmartConnector?

Thanks,

Aqui

0 Likes
zko Regular Contributor.
Regular Contributor.

Re: Arbor parsing issue

Jump to solution

Hi

No, just this file. You do not need anything else

Tags (3)
0 Likes
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Zko,

Do you have other devices that are sending logs to your Syslog connector? (Example: Juniper, Cisco, F5) Will the sdkfilereader affect the parser of the other devices?

Thanks,

Aqui

0 Likes
zko Regular Contributor.
Regular Contributor.

Re: Arbor parsing issue

Jump to solution

For this specific smartconnector no, it is dedicated for arbor. But it should work OK of it does not match to anything else.

You might want to edit your $smartconnector/current/user/agent/agent.properties, to change subagent list. Below I have put in front flexagent_syslog parser. You might add the rest of the parsers you use to reflect your deployment/environemt

agents[0].customsubagentlist=flexagent_syslog|generic_syslog

 

The default line is:

 

agents[0].customsubagentlist=ciscopix_syslog|netscreen_syslog|cyberguard_syslog|niksun_syslog|sourcefire_syslog|intrushield_syslog|ciscovpnios_syslog|sonicwall_syslog|apache_syslog|netscreen_idp_syslog|ciscovpnnoios_syslog|attackmitigator_syslog|rsaace_syslog|ciscoaironet_syslog|ciscoworks_syslog|ciscorouter_syslog|nortelvpn_syslog|pf_syslog|coreguard_syslog|watchguard_syslog|fortigate_syslog|peakflow_syslog|honeyd_syslog|neoteris_syslog|prosafe_syslog|trushield_syslog|alcatel_syslog|extreme_syslog|tippingpoint_syslog|nokiasecurityplatform_syslog|whatsup_syslog|airdefense_syslog|stealthwatch_syslog|nagios_syslog|netcontinuum_syslog|cef_syslog|tlattackmitigator_ng_syslog|airmagnet_enterprise_syslog|manhunt_syslog|m40e_aspic_syslog|ironmail_syslog|ciscorouter_nonios_syslog|ingrian_syslog|nitrosecurity_syslog|junipernetscreenvpn_syslog|catos_syslog|ipolicy_syslog|symantecnetworksecurity_syslog|bigiron_syslog|type80_syslog|miragecounterpoint_syslog|newbury_syslog|packetalarm_syslog|cyberguard6_syslog|neowatcher_syslog|netkeeper_syslog|snare_syslog|ntsyslog_syslog|f5bigip_syslog|sms_syslog|ciscocss_syslog|barracuda_spamfw_syslog|radware_defensepro_syslog|barracuda_spamfw_ng_syslog|bluecoatsg_syslog|peakflowx_syslog|aruba_syslog|mcafeesig_syslog|stonegate_syslog|ciscosecureacs_syslog|tripwire_enterprise_7_7_syslog|tripwire_enterprise_syslog|datagram_iis_syslog|oracle_audit_syslog|sms7x_syslog|messagegate_syslog|cyberguard52_syslog|symantecendpointprotection_syslog|cisco_mse|junipernetscreenvpn_6x_syslog|netscreen_idp5_syslog|bsm_syslog|junipernetscreenvpn_keyvalue_syslog|citrix_syslog|linux_auditd_syslog|netappfiler_syslog|vmwareesx_syslog|ciscoise_monitoringaudit_syslog|junos_syslog|junos_sdsyslog|type80v3_syslog|vormetricdatasecurity_syslog|citrixnetscaler_syslog|tippingpoint_sms_2_5_syslog|tippingpoint_sms_audit_syslog|tippingpoint_device_audit_syslog|vmwareesx_4_1_syslog|infobloxnios_syslog|proofpoint_syslog|cisco_nxos_syslog|ciscoise_syslog|hpprinter_syslog|hp_c7000_syslog|ciscoairspace76_syslog|pulseconnectsecure_syslog|pulseconnectsecure_keyvalue_syslog|ironport_syslog|sidewinder_syslog|gauntlet_syslog|flexagent_syslog|sendmail_syslog|nsm_syslog|nsm2009_syslog|ciscosecureacs51_syslog|hph3c_syslog|hpprocurve_syslog|hp_ux_syslog|checkpoint_syslog|generic_syslog|ciscoairspace_syslog

 

Regards

0 Likes
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Zko,

 

I have followed the steps you've suggested:

1. Paste the arbor_aps.sdkfilereader.properties to $smartconnector/current/user/agent/flexagent/syslog

2. Edited the agent.properties file and put the flexagent_syslog and generic_syslog on the first line as shown below:

agents[0].customsubagentlist=flexagent_syslog|generic_syslog

But I'm still receiving the same parsing error. Did I missed out something? 

Your help is very much appreciated! 

Thanks,

Aqui

 

0 Likes
Highlighted
aquillius.t@net Super Contributor.
Super Contributor.

Re: Arbor parsing issue

Jump to solution

Hi Zko,

I have manage to resolve the issue. Below are the steps that I did:

1. edited the agent.properties file and made the customsubagentlist = true.

2. renamed the sdk file to arbor_aps.subagent.sdkrfilereader.properties

3. restarted the smartconnector

Kudos to you! Thank you very much!

Regards,

Aqui

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.