This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
sahaya
Commodore Commodore
Commodore
‎2014-03-17 15:12
797 views

CEF Folder Follower

Hi,

Can anyone help me out on how to create a CEF Folder Follower Connector ?

Thanks,
Sahaya

Labels (1)
Labels
0 Likes
Reply
Report Inappropriate Content
14 Replies
sparky1
Absent Member.
Absent Member.
‎2014-03-17 19:24

Ask support for the CEF parser, then create a folder follower flex connector using the CEF parser.

0 Likes
Reply
Report Inappropriate Content
sahaya
Commodore Commodore
Commodore
‎2014-03-18 07:14

Hi,

I tried that as well. but these will not be any regex defined in the cef parser and  hence the flex regex folder follower is not parsing the logs.

Rgds,
Sahaya

0 Likes
Reply
Report Inappropriate Content
eugene.rostofsk1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2014-03-18 11:15

Hi,

Use "ArcSight FlexConnector Multiple Folder File" connector. Configure  the folder of interest or folders, processing mode (batch  or realtime), under configuration file enter "cef_syslog" (provided that support gave you cef_syslog.sdkkeyvaluefilereader.properties file and you put it to current\user\agent\flexagent directory), configuration type - sdkkeyvaluefilereader.

HTH

0 Likes
Reply
Report Inappropriate Content
bkilroe
Commodore
Commodore
‎2014-03-23 20:52

You don't need to request the parser from support.

Configure it exactly as Ihar has said above except under the Configuration File just refer it to the normal parser by entering "cef_syslog/cef_syslog"  and use sdkkeyvaluefilereader configuration type.

If you have configured it correctly you should see a similar entry in the agent.log

[2014-03-23 20:38:59,839][INFO ][default.com.arcsight.agent.pe.g][getInputStream] Resource [cef_syslog/cef_syslog.sdkkeyvaluefilereader.properties] found in [C:\ArcSight\6.0.7.6901.0\current\system\agent\fcp\arcsightagents.aup|cef_syslog/cef_syslog.sdkkeyvaluefilereader.properties.arc]

0 Likes
Reply
Report Inappropriate Content
sahaya
Commodore Commodore
Commodore
‎2014-03-24 10:59

Hi,

Thanks for the answer. However, below is what is see

[2014-03-24 11:50:48,879][INFO ][default.com.arcsight.agent.pe.g][getInputStream] Resource [cef_syslog/cef_syslog.sdkkeyvaluefilereader.properties] found in [D:\SIEM_Connectors\multiple files\current\system\agent\fcp\arcsightagents.aup|cef_syslog/cef_syslog.sdkkeyvaluefilereader.properties.arc]

[2014-03-24 11:50:48,879][INFO ][default.com.arcsight.common.config.AgentPropertiesFileConfiguration][loadDefaultProperties] customInitialization() - read default properties from [cef_syslog/cef_syslog.sdkkeyvaluefilereader.properties].

[2014-03-24 11:50:48,895][INFO ][default.com.arcsight.agent.pe.g][getInputStream] Resource [cef_syslog/cef_syslog.sdkkeyvaluefilereader.properties] not found (AUP file ignored)

0 Likes
Reply
Report Inappropriate Content
thoman
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2014-03-24 11:15

Select ArcSight FlexConnector Multiple Folder File and click Next.

Enter the device details and click Next.

   

Parameter

Description

Folder

The absolute path of the directory where log files for the

FlexConnector are located. For example:

C:\CEF_Folders\

Processing

Mode

If the files in the folder are not being written to in real time and are

complete, select batch.

If the files are open and new log lines are being added to them,

select realtime.

Configuration

File

The base name of the configuration file that describes the format of the log file. Enter cef_file

Configuration

Type

The file is a CEF-format log file, select cef.

 

0 Likes
Reply
Report Inappropriate Content
sahaya
Commodore Commodore
Commodore
‎2014-03-24 14:57

Hi,

the extension part of the CEF file is getting parsed, but not the Header Part.

There is no mapping for the header fields in the parser, however there is a line that says ( Header automatically parsered by CEF Parser)

Please Assist

~Sahaya

0 Likes
Reply
Report Inappropriate Content
thoman
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2014-03-25 02:23

Please give us some example of your CEF events.

0 Likes
Reply
Report Inappropriate Content
sahaya
Commodore Commodore
Commodore
‎2014-03-25 07:22

Hi,

Sample Logs Below

CEF:0|a.b|hostname|R1|AUTHN_SUCCESS|Authentication successful|1|cs1=abc-ght-098 start=2014-03-20 08:40:11.333 cs2=BR:BRM src=1.2.3.4 cs4=11B6622C-0BB0-E311-A6D1-00505684015B duid=abcdef duser=1hdi5479j cs3=User:q063hjB msg=User:Id:32114,InstanceType:Id:42eed532-0fa4-e311-80c1-00505684015b

CEF:0|a.b|hostname|R1|AUTHN_SUCCESS|Authentication successful|1|cs1=8D2C8A4B-0BB0 start=2014-03-20 08:40:32.528 cs2=ZM:ZMAG1 src=1.6.1.1 cs4=C234BD07-0BB0 duid=BRAHAJ duser=80C1-00505684015B:abc:Braham cs3=User:3D851146-0FA4-E31 msg=User:Id:3d851146,InstanceType:Id:44eed532-0fa4-e311-80c1-00505684015b, Code:LCL

0 Likes
Reply
Report Inappropriate Content
thoman
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2014-03-26 11:30

I do not face issue on my lab, can you try using CEF File Connector to read the same file? Please also try the latest connector version.

0 Likes
Reply
Report Inappropriate Content
sahaya
Commodore Commodore
Commodore
‎2014-03-27 14:24

Hi,

It works for me now. but i do not get the milli seconds in the time. i doubt that the time stamp itself is not getting parsed

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.