ArcSight SmartConnector Parser Build 126.96.36.19919 is now available
Note about SmartConnector Releases
To support newer device versions and to fix parsing issues more rapidly, as of release v7.3.0, the connector framework and connector parser updates are now delivered as separate releases. The connector parser update builds will be released monthly on ArcSightMarketplace, whilst enhancements to the connector framework (including latest parser updates) are released on a three-monthly cycle and available as usual on the SSO Portal.
You can download parser releases to your workstation to be applied on standalone connectors, or for ease of upgrade and integration, starting with ArcSight Management Center (ArcMC) version 2.5, you can use ArcMC to retrieve parser releases directly from ArcSight Marketplace for locally/remotely managed connectors.
NB: Users of ArcMC pre v2.5 and all versions of ConnApp will need to upgrade to ArcMC v2.5 or later to benefit from the streamlined Parser Update deployment method described above.
Each connector parser release is supported and certified with the most recent connector framework release, thus:
- 7.5.1 and 7.5.2 Connector Parser builds will be supported and certified on the 7.5.0 Connector Framework
- 7.6.1 Connector Parser builds will be supported and certified on the 7.6.0 Connector Framework
And so on.
Parser Enhancements has been made for the following connectors:
- Cisco IOS Syslog
- Citrix NetScaler Syslog
- HPE Operations Manager I Web Services
- HPE ProCurve Syslog
- HPE UX Syslog
- Linux Audit Syslog
New Device, Component, or OS Version Support
- Barracuda Email Security Gateway Syslog (formerly Barracuda Networks Spam Firewall NG Syslog) 8.0
- Cisco IronPort Email Security Appliance File 10.0
- Cisco IronPort Email Security Appliance Syslog 10.0
- McAfee ePolicy Orchestrator DB DLP 10.0 with ePO 5.3
- Rapid7 NeXpose XML File 6.3
Check Point OPSEC NG
Check Point has updated their servers to be able to use SHA-256 certificates. A newer LEA client is needed to support these SHA-256 certificates. Because the SmartConnector for Check Point OPSEC NG does not use this new LEA client, the connector can no longer connect to collect events. The recommendation is to use the SmartConnector for Check Point Syslog to collect Check Point events. Note that the R77.30 Add-On on the Security Management Server or Multi-Domain Server is required for syslog event collection (see sk105412 at: http://supportcontent.checkpoint.com/solutions?id=sk105412).
There are many more parsing issues fixed and enhancements delivered with this release. Please read the SmartConnector Release Notes 188.8.131.5219 for additional information.
The SmartConnector datasheet listing the SmartConnectors can be download here.
Verify that you have a SmartConnector license before installing these connectors. The SmartConnector license entitlement is included within ADP, or else bundled with ESM or Logger if you have not yet migrated to the ADP licensing model.
You can find documentation and release notes on Protect 724 here.
If you have any questions, please contact Customer Support at: https://softwaresupport.hp.com/.
HPE Security ArcSight SmartConnector Product Team
Re: ArcSight SmartConnector Parser Build 184.108.40.20619 is now available
Hello Protect724, Hello ArcSight,
seems the introduction of "IPv6 support" in SC version 7.4.0 added some issues to the SC.
some old methods that tend to have some undocumented features (i.e long to IPv4 without using any __<functiuon>) seems to be gone. ( https://community.saas.hpe.com/t5/ArcSight-Questions/Check-Point-OPSEC-NG-connector-parsing-errors/qaq-p/1519247#M58388 )
So i can only advise everybody to check their agent.logs for any kind of parsing errors.
The Checkpoint SC for example does not create events (so they are not shipped to logger / esm) if the field "Destination Translated Address" is present.
Happy searching (sadly no easter eggs)!