F5 APM events unparsed
now i integrated F5 APM with arcsight but there is a lot of events unparsed. can everyone help me to how can i make overwrite to those unparsed events?
I would do the following:
1) Check SmartConnector for F5 BIG-IP Syslog if you are on supported version:
2) If you are on supported version then open a Case so ArcSight Technical Support can file a Parsing BUG
3) If you are not on supported version check if you can upgrade to supported version and then test if you see unparsed events. If you still see them then follow step 1).
4) If you have version that is higher than currently supported by SmartConnector then you can open a Case and request Feature Request. Once Feature Request is created you will get the number of that Feature Request and then you can make inquires with your ArcSight Sales Representative about additional informations.
5) If you have lot of unparsed events then it will not be easy to make parser override as you do not have original F5 parser that is used in SmartConnector and even if you had it and lot of events do not match it then you would basically need to rewrite complete parser.
6) If you want to make it yourself from beginning there is something called HPE ArcSight FlexConnector Developer's Guide:
This is basically developers kit so you can make your SmartConnector from scratch and support all the events/device that you want but it is not simple task.