Highlighted
Artem Frequent Contributor.
Frequent Contributor.
224 views

ArcSight cuts off some of the values ​​in the fields

Hello!

I have some problems with ArcSight ESM.

ArcSight cuts off some of the values ​​in the fields. But this does not happen all the time.  The conversation will be only in the context of a single source of events. 

For example.

First event -->  DeviceProduct:ASA, DeviceVendor:CISCO,OriginalAgentType:SYSLOG    - It's OK

Second Event --> DeviceProduct:ASA, DeviceVendor:CISCO,OriginalAgentType:SYSL     - Not OK

Third Event -->DeviceProduct:ASA, DeviceVendor:CISCO,OriginalAgentType:SYSLO       - Not OK

 

OR

First event -->  DeviceProduct:Microsoft Windows, DeviceVendor:Microsoft,OriginalAgentType:WINC    - It's OK

Second Event --> DeviceProduct:Microsoft Windo, DeviceVendor:Microsoft,OriginalAgentType:WINC     - Not OK

Third Event --> DeviceProduct:Microsoft Windows, DeviceVendor:Microsoft,OriginalAgentType:WI      - Not OK

 

Cases are sporadic, but permanent. This makes it difficult to implement some cases. If you have any ideas how to solve my problem, I will be very grateful.

Thank you!

P.S. Sorry for my bad english)

Labels (1)
Tags (2)
0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: ArcSight cuts off some of the values ​​in the fields

Is this events directly from a supported product with it's related connector or maybe the product is already sending it in CEF format? If so, is there any custom subparsers or mappingfiles created?

If neither i am guessing this is a flexconnector?

Is the removal of information in the actual RAW event received from the connector,?

I would recommend starting with enabling raw events, find a working + a non-working event, and see if there is any difference. Might be some strange special characters that are not escaped, or a changed format. Even a single extra special character can mess around with the parsing as an example.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.