Absent Member.
Absent Member.
1314 views

Filter Forwarding

Jump to solution

Hi,

I want to restrict what correlated events get forwarded from a source ESM to a destination ESM. I already have the the 2 filters that the Forwarding Connector guide says are needed, but that sends all correlated events. When I started making changes to those filters so that it only forwards events fired from certain rules, then the base event stopped being forwarded along with the correlated event. Can anyone show me an example that will restrcit forwarding but still send teh base event? Thanks.

Labels (2)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

Would agree with dbw and generally speaking use the name field. The gottcha is if your filter uses the concept of name field = rule name and in one of your rules you aggregate on the name field for an event. For example if you create a rule named “Windows Login” but aggregate on the name field, it will be populated with something like “A Kerberos authentication ticket (TGT) was requested.” You could use generatorName which WILL get the rule name but if you aren’t careful (or otherwise don’t care) you will also grab audit events related to things like that rule adding something to an AL if that is part of the action.

View solution in original post

0 Likes
10 Replies

How did you structure your filter? I would think this would work (using Name as an example of how you might further filter which rules you want to send):

OR

--Event Annotation Flags ContainsBits correlated
--AND
----Type = Correlation
----Device Product = ArcSight
----Device Vendor = ArcSight
----Name = UniqueValue
0 Likes
Absent Member.
Absent Member.

Would agree with dbw and generally speaking use the name field. The gottcha is if your filter uses the concept of name field = rule name and in one of your rules you aggregate on the name field for an event. For example if you create a rule named “Windows Login” but aggregate on the name field, it will be populated with something like “A Kerberos authentication ticket (TGT) was requested.” You could use generatorName which WILL get the rule name but if you aren’t careful (or otherwise don’t care) you will also grab audit events related to things like that rule adding something to an AL if that is part of the action.

View solution in original post

0 Likes
Absent Member.
Absent Member.

Thanks, the generator name really helped in reducing the events we want to forward. I have a problem though on the managing ESM that is recieving the data. when I open an event and go down the event tree, it ends at a correalted event and I can't get to the base event. I have submitted a screenshot of this. Any help would be appreciated since we would like to be able to get to the base event. Thanks

0 Likes
Admiral
Admiral

That's a known issue which as not been solved AFAIK ( please correct me if I'm wrong ).  The correlated event doesn't contain the base events but a link to those.  Unfortunately, even if these base events have been forwarded on the destination manager, it seems you cannot access to them from the correlated event.  I really hope it's going to be solved in the next ESM release as it's a serious issue in multi-tier environment.

0 Likes

I don't see this being fixed any time soon... the problem is that the events are tied based on the event ID on the manager where the correlation event was created, and once you forward both events their event IDs change. This will require something more than a bugfix... it will take a change in design of some kind.

0 Likes
Absent Member.
Absent Member.

Hi,

if the problem still exists?

Has anyone reported this problem to ArcSight?

Jack

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hello Jack,

try this:

1. Create a user that is used by the super connector under a user group with the following filter conditions:

event1 :
( Event Annotation Flags ContainsBits correlated OR Type = Correlation )

2. Register the super connector with the above mentioned user to the destination ESM.

3. Add to the server.properties at the source ESM the following:

###################################################################################

# ContainerID to send forwarded events (EntityID.UserID)

###################################################################################

eventstream.cfc=3hudLfTYBABCp-yreZRGl6w==.1KxI+BzYBABDr0DGo+RMvhQ==

Note: 1st: super connector ID (to be found on the destination ESM), 2nd user ID (to be found on the source ESM)

This works in our tiered environment.

Volker

0 Likes
Lieutenant Commander
Lieutenant Commander

Hi Volker,

May we ask you what version of source ESM/Express, destination ESM/Express and Forwarding connector version you are using for this to work? We are trying to achieve this for long time and we see that in the last 6.0.4.6830.0 forwarding connector version which is released together with 6.5, it works, but your answer is from June and then the 6.5 was not yet released so we are little bit confused.

Kind Regards,

RI

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hello,

we are still on ESM 5.2 Patch 2 and using super connector 5.1.7.

Volker

0 Likes
Absent Member.
Absent Member.

Hi Volker,

Are you able to get the event id of the rule from the source ESM to the destination ESM.

How do we link the two events between the source and destination ESM as I can not see the event id from the source ESM being forwarded to the destination ESM.

Regards,

Mohan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.