Infosec Super Contributor.
Super Contributor.
678 views

Difference in fields between Logger and ESM

Jump to solution

Hi Folks, 

May be someone will be able to help me out. I have noticed that same event have some fields missing in ESM, while present in Logger. 

In specific I am looking at the 5136 Windows Event. Logger parsers the event and has a filed ad.OpCorrelationId, while ESM does not have this field.

Does someone know why?

Connector send same events to ESM and Logger without aggregation or filtering.

0 Likes
1 Solution

Accepted Solutions
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Difference in fields between Logger and ESM

Jump to solution

Hello,

1) What you see on Logger is "additional data" that is not mapped into any of the standard ArcSight fields.

2) Please try following on ESM to make "additional data" mapped to certain field that exists in ESM Event DB schema:
How to Map Additional Data from Windows Events:
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

4 Replies
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Difference in fields between Logger and ESM

Jump to solution

Hello,

1) What you see on Logger is "additional data" that is not mapped into any of the standard ArcSight fields.

2) Please try following on ESM to make "additional data" mapped to certain field that exists in ESM Event DB schema:
How to Map Additional Data from Windows Events:
https://community.softwaregrp.com/t5/Share-Documentation/How-to-Map-Additional-Data-from-Windows-Events-pdf/ta-p/1585389

Regards,

Marijo

Infosec Super Contributor.
Super Contributor.

Re: Difference in fields between Logger and ESM

Jump to solution

Hi, 

 

Thanks for the reply. Probably a dumb question, but is this solution permanent (done once and continues to work as configured), or data pulling has to be done every time manually on a connector. 

0 Likes
Marijo Mandic Acclaimed Contributor.
Acclaimed Contributor.

Re: Difference in fields between Logger and ESM

Jump to solution

Hello,

once you run this procedure via ESM on SmartConnector there is created a file (as explained in PDF).

As long this file (ngmappings.adatmappings.properties) is not removed or something reconfigured the event will be mapped as you configured via ESM.

Regards,

Marijo

Highlighted
Honored Contributor.. jorgeoa Honored Contributor..
Honored Contributor..

Re: Difference in fields between Logger and ESM

Jump to solution

If you just want to see the field value in an Active Channel, you can add the column with the "right-click" option in the columns header.

You need to set the turbo mode to 3 in manager's server.properties file

turbo.mode.com.arcsight.event.SecurityEvent=3

ad.png

ad1.png

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.