Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
2431 views

Custom Parser or Map File for software smart connector Blue Coat Proxy

Jump to solution

I am looking for the best way to write a custom parser or map file to map Blue Coat cs-username and cs-user to Source User Name field in ArcSight. How do I go about doing this?

Thanks,

Eric

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

I mapped another field "rs(Content-Type)" to deviceCustomString5.

I had to create a map via in the agent's "aup" folder:

%CONNECTORS_HOME%/current/user/agent/aup/%AGENTID%/fcp/custommappings/Blue_Coat/Proxy_SG

file:

ngmappings.adatamappings.properties

content:

event.deviceCustomString5=rs(Content-Type)

The logger shows the additional filed as "ad.rs(Content-Type)".

View solution in original post

0 Likes
8 Replies
Absent Member.
Absent Member.

Hi Eric,

We used the additional mapping from the console to do the trick, works much faster.

0 Likes
Absent Member.
Absent Member.

Thanks for responding to this post. I actually have had it mapped that way but thought it might be better to write a parser so if you needed to you could map more than one field to the ArcSight field. Currently using additional mapping on ESM 5 limits you to just one field per ArcSight field. If you map another field, it erases the previously mapped field.

0 Likes
Absent Member.
Absent Member.

I mapped another field "rs(Content-Type)" to deviceCustomString5.

I had to create a map via in the agent's "aup" folder:

%CONNECTORS_HOME%/current/user/agent/aup/%AGENTID%/fcp/custommappings/Blue_Coat/Proxy_SG

file:

ngmappings.adatamappings.properties

content:

event.deviceCustomString5=rs(Content-Type)

The logger shows the additional filed as "ad.rs(Content-Type)".

View solution in original post

0 Likes
Absent Member.
Absent Member.

Actually it is better to do it via Connection command "Get additional data fields"/"Map additional data field"

0 Likes
Absent Member.
Absent Member.

Alex,

I attempted your custom mapping as you showed, then restarted the connector and it work. Thanks for the help

0 Likes
Absent Member.
Absent Member.

Why exactly is it better?  It seems to put the data right into an ngmappings.adatamappings.properties file for the connector anyways.  Is it just easier to do it via the interface, or less likely to fat-finger something, or is there an actual performance increase?

0 Likes
Absent Member.
Absent Member.

Joanne,

I think Alex meant it is better because you are less likely to break connector mappings via the interface and your right, it is easier via the interface. The issue is if you want to map more than one field to the ArcSight field and you use the interface method, the previous mapped field is replaced by the last added mapped field. To map more than one field use the map file solution mentioned above.That is what I used and it resolved my problem.

0 Likes
Absent Member.
Absent Member.

Yes, exactly.

It is always better to use a documented approach, especially if it could be done via GUI rather than using "hacks" and manipulate internal files.

Also it is completely different story when you need to update mapping at Connector Appliance that it is locked box and usually does not allow to manipulate on OS/file level.

BTW, with Blue Coat connectors I find out if you adding multiple destinations, it is better to create all destinations first, THAN apply mapping changes since apparently adding a new destination erases all applied mapping changes.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.