Highlighted
Regular Contributor.
Regular Contributor.
481 views

CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution

Hi all i ran into a problem while i, getting logs from Force-Point ,"security events" from a Syslog daemon connector 

the problem is that the device is Sending the Epoch time in seconds to the rt field and then the END TIME is a shown the date in End Time : 19 Jan 1970 09:19:46 IST
in all the logs 

i tried to use additional regex parsing but it dont work  

<159>Feb 13 10:34:37 10.113.0.33 CEF:0|Forcepoint|Security|

rt=1581582877

Smartconnector version is ArcSight 7.14

any suggestion ?

0 Likes
1 Solution

Accepted Solutions
Highlighted
Honored Contributor.
Honored Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution

Are you looking for an ArcSight Operation that converts an Epoch TimeStamp (of seconds, not milliseconds) to the ArcSight time format? Try this one:

__createLocalTimeStampFromSecondsSinceEpoch()

View solution in original post

0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution

You can configure the format of the log on ForcePoint (at least for the web/email security gateways). You need to add "000" to the timestamp if I remember correctly. 

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Highlighted
Regular Contributor.
Regular Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution

i cant reach the device it self at this moment i want to solve this in the connector side 

 

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution

Are you looking for an ArcSight Operation that converts an Epoch TimeStamp (of seconds, not milliseconds) to the ArcSight time format? Try this one:

__createLocalTimeStampFromSecondsSinceEpoch()

View solution in original post

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution
The problem is that the epoch time is already been parsed by the generic syslog cef parser I don’t think it will convert this “ 19 Jan 1970 09:19:46 IST” the the right date , correct me if I’m if wrong
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution

... well I'm afraid you're right. The ArcSight Function __createLocalTimeStampFromXYZ can not help you with the CEF-SmartConnector. Apart from what mr_ergene recommended (that's certainly the best solution), I can imagine two alternatives:

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution
  1. Create your own FlexConnector and use according ArcSight function __createLocalTimeStampFromXYZ to convert epoch time stamp.
  2. Configure existing syslog daemon [or put additional 'syslog hub' between log-source and syslog-CEF-SmartConnector] to manipulate the time stamp. As far as I know rsyslogd and syslog-ng have some parsing capabilities.

But to be honest, both alternatives are annoying work. Getting access to the log source is certainly easier!

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution
Tnx for the replay, I just wants to ask you if you know of a way to get the raw data to be unparsed before the generic cef parser takes it , I just need that specific filed to be unparsed . The cef generic parser works fine on all other fields , maybe I try additional regex parser on a syslog ng connector with Sourcefiled=rawEvent and then I’ll if it’s getting the epoch out of it
0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Re: CEF Syslog Unix Epoch Parsing ESM (ForcePoint)

Jump to solution
I was able to resolve the problem with event.endTime=__createLocalTimeStampFromSecondsSinceEpoch, I figured out theT the time stamp on endTime is really in format of epoch even if it shown as type TimeStamp , I’ll be happy to share the parser if someone needs it tnx for everyone for the help ..:)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.