New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Cadet 3rd Class
Cadet 3rd Class
785 views

Connector Properties Override Version Mismatch

Jump to solution

Just installed parser override ciscopix.subagent.sdkrfilereader.properties and appears the connector skips the event that the override is designed to catch, and I get the following CEF/ArcSight event:

CEF:0|ArcSight|ArcSight|7.6.0.8009.0|agent:049|Connector Properties Override Version Mismatch|High| eventId=30 mrt=1529513764062 catdt=Security Management art=1529513764074 cat=/Agent/Override/Mismatch deviceSeverity=Warning rt=1529513764062 cs1=EA5DA6EFDE1C71F9AEDCB453B0A4B5B0386E7C004C5910BDE3DD0D5B7DBFB475|17|2015-12-16 11:57:34 PST  cs2=2604EE2EBE87C1440E53C41A2DB286381193825C0C2822269CCED9185C71255A|21|2017-04-17 20:22:19 PDT cs3=/home/rpaige/ArcSightSmartConnectors/syslog/current/user/agent/fcp/ciscopix/ciscopix.subagent.sdkrfilereader.properties cs1Label=Override version

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi,

this is one of my favourites. let my try to explain.

Each Parser  gets a "prop.sign.ver.date"  added at the end of the file. Basically that means, the Parser Override was tested and verified to work with the original "remaining" parts of the actual parser.

lets say for your Cisco parser, you had an override for a message 4711. Your override looks like that

submessage[10].messageid=4711
submessage[10].pattern.count=1
submessage[10].pattern[0].regex=<some regex here>
submessage[10].pattern[0].fields=<some fields here>

If now a newer Parser is realeased, two things might happen

a) ArcSight developer added your override to the new parser already. Therefore your override would not be needed anymore.
b) (probability is higher for b) ArcSight developer added another change to the parser.

In both options it could happen, that several new log messages (number in messageID field) were added to the parser.

This means, it could happen that some messageID get a new submessage number (the first brackets) (see 1) or a submessage gets an additional pattern (see 2). As the parder does not  know what happened in the new parser,-version the parser-framework sends a message, that "Connector Properties Override Version Mismatch" is happening.
Basicalli it looks if the actual "prop.sign.ver.date" in the file is different from the "prop.sign.ver.date" which is used by the new parser(aup). If they differ a message is generated.

To test if the override is the issue, or if something else is the issue, just comment out (#) the "prop.sign.ver.date" at the end of the parser - but it might be, that your override was not designed to work with your current parser.

AND You should create a rule that looks for those Audit events, and act as soon as it fires.

Hope that helps

A.

(1)
submessage[13].messageid=4711
submessage[13].pattern.count=1
submessage[13].pattern[0].regex=<some regex here>
submessage[13].pattern[0].fields=<some fields here>

(2)
submessage[10].messageid=4711
submessage[10].pattern.count=2
submessage[10].pattern[0].regex=<some regex here>
submessage[10].pattern[0].fields=<some fields here>
submessage[10].pattern[1].regex=<some other regex here>
submessage[10].pattern[1].fields=<some other fields here>

 

 

View solution in original post

0 Likes
2 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi,

this is one of my favourites. let my try to explain.

Each Parser  gets a "prop.sign.ver.date"  added at the end of the file. Basically that means, the Parser Override was tested and verified to work with the original "remaining" parts of the actual parser.

lets say for your Cisco parser, you had an override for a message 4711. Your override looks like that

submessage[10].messageid=4711
submessage[10].pattern.count=1
submessage[10].pattern[0].regex=<some regex here>
submessage[10].pattern[0].fields=<some fields here>

If now a newer Parser is realeased, two things might happen

a) ArcSight developer added your override to the new parser already. Therefore your override would not be needed anymore.
b) (probability is higher for b) ArcSight developer added another change to the parser.

In both options it could happen, that several new log messages (number in messageID field) were added to the parser.

This means, it could happen that some messageID get a new submessage number (the first brackets) (see 1) or a submessage gets an additional pattern (see 2). As the parder does not  know what happened in the new parser,-version the parser-framework sends a message, that "Connector Properties Override Version Mismatch" is happening.
Basicalli it looks if the actual "prop.sign.ver.date" in the file is different from the "prop.sign.ver.date" which is used by the new parser(aup). If they differ a message is generated.

To test if the override is the issue, or if something else is the issue, just comment out (#) the "prop.sign.ver.date" at the end of the parser - but it might be, that your override was not designed to work with your current parser.

AND You should create a rule that looks for those Audit events, and act as soon as it fires.

Hope that helps

A.

(1)
submessage[13].messageid=4711
submessage[13].pattern.count=1
submessage[13].pattern[0].regex=<some regex here>
submessage[13].pattern[0].fields=<some fields here>

(2)
submessage[10].messageid=4711
submessage[10].pattern.count=2
submessage[10].pattern[0].regex=<some regex here>
submessage[10].pattern[0].fields=<some fields here>
submessage[10].pattern[1].regex=<some other regex here>
submessage[10].pattern[1].fields=<some other fields here>

 

 

View solution in original post

0 Likes
Highlighted
Cadet 3rd Class
Cadet 3rd Class

Excellent explanation !

Thanks

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.