Solved: Re: Filter Forwarding - Micro Focus Community

kamran.s.qasim · ‎2011-03-12

Hi,

I want to restrict what correlated events get forwarded from a source ESM to a destination ESM. I already have the the 2 filters that the Forwarding Connector guide says are needed, but that sends all correlated events. When I started making changes to those filters so that it only forwards events fired from certain rules, then the base event stopped being forwarded along with the correlated event. Can anyone show me an example that will restrcit forwarding but still send teh base event? Thanks.

MarkR1 · ‎2011-03-14

Would agree with dbw and generally speaking use the name field. The gottcha is if your filter uses the concept of name field = rule name and in one of your rules you aggregate on the name field for an event. For example if you create a rule named “Windows Login” but aggregate on the name field, it will be populated with something like “A Kerberos authentication ticket (TGT) was requested.” You could use generatorName which WILL get the rule name but if you aren’t careful (or otherwise don’t care) you will also grab audit events related to things like that rule adding something to an AL if that is part of the action.

View solution in original post

deathbywedgie1 · ‎2011-03-12

How did you structure your filter? I would think this would work (using Name as an example of how you might further filter which rules you want to send):

OR

--Event Annotation Flags ContainsBits correlated

--AND

----Type = Correlation

----Device Product = ArcSight

----Device Vendor = ArcSight

----Name = UniqueValue

MarkR1 · ‎2011-03-14

Would agree with dbw and generally speaking use the name field. The gottcha is if your filter uses the concept of name field = rule name and in one of your rules you aggregate on the name field for an event. For example if you create a rule named “Windows Login” but aggregate on the name field, it will be populated with something like “A Kerberos authentication ticket (TGT) was requested.” You could use generatorName which WILL get the rule name but if you aren’t careful (or otherwise don’t care) you will also grab audit events related to things like that rule adding something to an AL if that is part of the action.

View solution in original post

kamran.s.qasim · ‎2011-03-31

Thanks, the generator name really helped in reducing the events we want to forward. I have a problem though on the managing ESM that is recieving the data. when I open an event and go down the event tree, it ends at a correalted event and I can't get to the base event. I have submitted a screenshot of this. Any help would be appreciated since we would like to be able to get to the base event. Thanks

GCA · ‎2011-04-01

That's a known issue which as not been solved AFAIK ( please correct me if I'm wrong ). The correlated event doesn't contain the base events but a link to those. Unfortunately, even if these base events have been forwarded on the destination manager, it seems you cannot access to them from the correlated event. I really hope it's going to be solved in the next ESM release as it's a serious issue in multi-tier environment.

deathbywedgie1 · ‎2011-04-26

I don't see this being fixed any time soon... the problem is that the events are tied based on the event ID on the manager where the correlation event was created, and once you forward both events their event IDs change. This will require something more than a bugfix... it will take a change in design of some kind.

jack · ‎2013-06-10

Hi,

if the problem still exists?

Has anyone reported this problem to ArcSight?

Jack

Volker Michels · ‎2013-06-10

Hello Jack,

try this:

1. Create a user that is used by the super connector under a user group with the following filter conditions:

event1 :
( Event Annotation Flags ContainsBits correlated OR Type = Correlation )

2. Register the super connector with the above mentioned user to the destination ESM.

3. Add to the server.properties at the source ESM the following:

###################################################################################

# ContainerID to send forwarded events (EntityID.UserID)

###################################################################################

eventstream.cfc=3hudLfTYBABCp-yreZRGl6w==.1KxI+BzYBABDr0DGo+RMvhQ==

Note: 1st: super connector ID (to be found on the destination ESM), 2nd user ID (to be found on the source ESM)

This works in our tiered environment.

Volker

rizaguirre1 · ‎2013-12-18

Hi Volker,

May we ask you what version of source ESM/Express, destination ESM/Express and Forwarding connector version you are using for this to work? We are trying to achieve this for long time and we see that in the last 6.0.4.6830.0 forwarding connector version which is released together with 6.5, it works, but your answer is from June and then the 6.5 was not yet released so we are little bit confused.

Kind Regards,

RI

Volker Michels · ‎2013-12-18

Hello,

we are still on ESM 5.2 Patch 2 and using super connector 5.1.7.

Volker

mohan1704 · ‎2014-02-05

Hi Volker,

Are you able to get the event id of the rule from the source ESM to the destination ESM.

How do we link the two events between the source and destination ESM as I can not see the event id from the source ESM being forwarded to the destination ESM.

Regards,

Mohan

Filter Forwarding

ESM

Smart Connector