Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
sgurley1 Respected Contributor.
Respected Contributor.
285 views

ArcMC Breach Rules not Parsed by ESM

We are running the software version of ArcMC 2.1 on RHEL.  We have installed a local syslog connector in order to forward ArcMC's events to our ESM instance.

I've noticed that the events coming through are the standard CPU, NETWORK, etc events that you see from Logger and Connector Appliances, but it also sends the events when a Breach Rule fires (one of your managed hosts is non-responsive/down, etc).

The Breach Rules are showing up completely unparsed (entire pipe delimited message in the "name") field.  The SmartConnector is version 7.1.6.

Has anyone else noticed that ArcSight doesn't parse their own events?  Does anyone have a fix outside of writing a flex-connector to parse these events so that they are useful in reporting/alerting?

0 Likes
2 Replies
lmcgintny1
Established Member.

Re: ArcMC Breach Rules not Parsed by ESM

I'm having a similar issue -- we're currently running SmartConnector 7.9.2. Looking at writing a flex connector parser for this but was hoping someone else may have already covered this to save some development time.

0 Likes
jklein Frequent Contributor.
Frequent Contributor.

Re: ArcMC Breach Rules not Parsed by ESM

Crazy this hasn't been fixed after years.  

I too have this problem on the latest version of ArcMC (v2.9) & SmartConnector (v7.11).  Any events generated by custom rules in ArcMC do not parse in ESM. 

Has anyone already created a custom parser that you'd be willing to share?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.