This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
ftavares
Commodore Commodore
Commodore
‎2015-02-28 13:53
1368 views

Categorization not Working

Jump to solution

Hi all,

I have a Regex FlexConnector that is working as expected, expect the categorization file, that seems to be not recognized and has no effect in normalized events.

I have created my categorization file under the structure:

<ARCSIGHT HOME>/current/user/agent/acp/categorizer/current/<vendor>/<product>.csv

I have create <vendor> folder and <product>.csv file with recommendations "no space" and "lowercase", so, i guess that' OK.

Event that, when I start my agent I do not see in logs any mention saying that my categorization file was loaded or not and when I go to ESM, my events are there, but with no categorization.

Looking in Connector's LOG Files I just see this mention about categorizarion (as you guys see, nothing about my file):

[2015-02-28 09:58:30,705][INFO ][default.com.arcsight.agent.ag.ob$b_][getInputStream] Resource [arcsight/arcsight.csv] found in [/arcsight/ArcSightSmartConnectors/FlexTest/current/system/agent/acp/arcsightagents_2014-08-12-19-20-32_2.9.2.0.0-7.0.6.7232.0.aup|categorizer/current/arcsight/arcsight.csv.arc]


[2015-02-28 09:58:30,708][INFO ][default.com.arcsight.common.e.a][processSingleAlert] Succesfully loaded categorization file [arcsight/arcsight.csv]

I know that this proccess is very well documented but it looks that's something missing here. I am using Linux installation and my Connector is 7.0.5 version. I have installed another connector just for test, and I have same behavior.

Any Ideas??

Regards.

Labels (3)
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
ftavares
Commodore Commodore
Commodore
‎2015-03-05 12:19

Jump to solution

Hi Tammy,

thanks for your reply.

Actually, I've made it work. It was a permission problem at O.S. level. Something that I've noticed about logs and I want to share:

- If you look at agent.log, the categorization file will only be loaded when connectors get a "DeviceVendor/DeviceProduct" first event matching with its categorization files. So, you should test against real values otherwise it won't show if file was correctly loaded or not.

Thanks.

View solution in original post

0 Likes
Reply
Report Inappropriate Content
3 Replies
tammy.torbert@h1
Vice Admiral
Vice Admiral
‎2015-03-01 00:35

Jump to solution

Hi,

I'm assuming your flexconnector deviceVendor and deviceProduct are the same as your values for the categorization directory, except lowercase and using underscores (_) for spaces.

Does your categorization file have event.deviceEventClassId,set.event.<fieldname>... in it?  You may want to double check there's not a typo in your categorization file that is causing it to get ignored.

Tammy

0 Likes
Reply
Report Inappropriate Content
ftavares
Commodore Commodore
Commodore
‎2015-03-05 12:19

Jump to solution

Hi Tammy,

thanks for your reply.

Actually, I've made it work. It was a permission problem at O.S. level. Something that I've noticed about logs and I want to share:

- If you look at agent.log, the categorization file will only be loaded when connectors get a "DeviceVendor/DeviceProduct" first event matching with its categorization files. So, you should test against real values otherwise it won't show if file was correctly loaded or not.

Thanks.

View solution in original post

0 Likes
Reply
Report Inappropriate Content
emilian.darie1
Commander Commander
Commander
‎2015-08-20 19:40

Jump to solution

Hi man, I have the same problem and I don't really understand how you solve it...

My categorization file is like this:

event.destinationServiceName,event.deviceCustomNumber1,event.deviceCustomNumber2,set.event.categoryBehavior

SSH,4,3,/Execute/Stop

SSH,0,1,/Execute/Stop

SSH,1,0,/Execute/Stop

SSH,0,0,/Execute/Response

SSH,1,0,/Access/Start

SSH,2,3,/Communicate/Response

from log:

First event from [Ipswitch|WS_FTP Server||] received.

from parser:

event.deviceVendor=__stringConstant("Ipswitch")

event.deviceProduct=__stringConstant("WS_FTP Server")

unfortunately I don t have any message of loading or unloading but actually I had such messages hours before as I can see in agent.log , even before starting categorization and now there is no message even if the file is there created so somehow is not even trying to search it...but why?

[2015-08-19 15:34:05,650][INFO ][default.com.arcsight.agent.ah.qb$a_][getInputStream] Resource [ipswitch/ws_ftp_server.link.csv] not found in any of the usual places

[2015-08-19 15:34:05,650][INFO ][default.com.arcsight.agent.ah.qb$a_][getInputStream] Resource [ipswitch/ws_ftp_server.csv] not found in any of the usual places

[2015-08-19 15:34:05,653][INFO ][default.com.arcsight.agent.ah.ob$a_][getInputStream] Resource [ipswitch/ws_ftp_server.link.csv] not found

[2015-08-19 15:34:05,656][INFO ][default.com.arcsight.agent.ah.ob$a_][getInputStream] Resource [ipswitch/ws_ftp_server.csv] not found

[2015-08-19 15:34:05,656][WARN ][default.com.arcsight.common.ab.a][processSingleAlert] Unable to find categorization file [ipswitch/ws_ftp_server.csv]

---------------------------------

[2015-08-20 20:10:41,506][INFO ][default.com.arcsight.agent.ah.ob$a_][getInputStream] Resource [arcsight/arcsight.csv] found in [/opt/arcsight/development/app_sftp_windows/current/system/agent/acp/arcsightagents_2015-06-25-16-34-20_2.9.2.0.0-7.1.5.7575.0.aup|categorizer/current/arcsight/arcsight.csv.arc]

[2015-08-20 20:10:41,511][INFO ][default.com.arcsight.common.ab.a][processSingleAlert] Succesfully loaded categorization file [arcsight/arcsight.csv]

Thank you

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.