Highlighted
giordanimax Absent Member.
Absent Member.
847 views

Flex Connector Categorization and Severity mapping not working

Hi All,

I am developing a folder file reader Flex Connector. I have created the regex, did the mapping , created some sub messages.

So far I can see what I want despite few issues which can be sorted easily, However, when it comes to the categorization it does not seem to pick up or get what i have defined under in my categorization file and nothing show in the Arcsight Console UI.

--> Here is a sample of the log:

Tue Aug 18 12:51:48 2015.554 Std 22160 doesn't match with mode [zest], flag [1234].

Tue Aug 18 12:51:48 2015.705 Std 22122 Client 70 failed to get authorization. Name [tata], type [tata], user [jim], address [IP_Address]. Reason : Authentication failed, user name or password is incorrect

Tue Aug 18 12:51:48 2015.705 Std 23500 Device: Fail [88989], object [-0908], task [08937] assignment , user name or password is incorrect

ARCSIGHT_HOME/user/agent/acp/categorizer/current/<device_vendor>/<device_product>.csv 

--> Here is the content of my "device_product.csv":

event.deviceSeverity,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome

22122,/Host/Application/Config,/Authentication/Verify,,/Application/Zeus,/Informational/Warning,/Failure

22160,/Host/Application/Config,/Communicate/Query,,/Application/Zeus,/Informational/Error,/Failure

23500,/Host/Application/Config,/Modify/Configuration,,/Application/Zeus,/Informational/Error,/Failure

7041,/Host/Application/Config,/Modify/Configuration,,/Application/Zeus,/Informational/Error,/Failure

ARCSIGHT_HOME\user\agent\flexagent\log.sdkrfilereader.properties 

--> Here is my Configuration File properties:

# FlexAgent Regex Configuration File

do.unparsed.events=true

comments.start.with=\#

start.at.line=29

trim.tokens=true

contains.empty.token=true

regex=(\\D+\\S+\\s+\\d+ \\d\\d:\\d\\d:\\d\\d) (\\d+.\\d+) Std\ (\\d+) (.*)

token.count=4

token[0].name=Timestamp

token[0].type=TimeStamp

token[0].format=EEE MMM dd HH:mm:ss

token[1].name= Toto

token[1].type=String

token[2].name=SubmessageIdToken

token[2].type=String

token[3].name=SubmessageToken

token[3].type=String

event.deviceReceiptTime=__useCurrentYear(Timestamp)

event.deviceVendor=__getVendor("mydevicevendor")

event.deviceProduct=__stringConstant(mydeviceproduct)

event.deviceCustomString1Label=__stringConstant("Event Description")

event.deviceCustomString1=Toto

event.message=SubmessageToken

event.deviceHostName=__stringConstant("MyDeviceTest")

event.deviceSeverity=SubmessageIdToken

severity.map.high.if.deviceSeverity=22122,23500

severity.map.medium.if.deviceSeverity=22160

severity.map.low.if.deviceSeverity=07041

Can someone tell me what I am doing wrong please? or what I am missing please?

Regards,

Max

Labels (2)
0 Likes
7 Replies
dkc1 Absent Member.
Absent Member.

Re: Flex Connector Categorization and Severity mapping not working

I think the map file supposed to be under ARCSIGHT_HOME/user/agent/map/map.<id of the map file. Zero is first>.properties

0 Likes
maystrovichva Super Contributor.
Super Contributor.

Re: Flex Connector Categorization and Severity mapping not working

What is in log files?

ARCSIGHT_HOME/current/logs/agent.log

ARCSIGHT_HOME/current/logs/agent.out.wrapper.log

0 Likes
shih-hao.lim@hp1 Regular Contributor.
Regular Contributor.

Re: Flex Connector Categorization and Severity mapping not working

Don't use the "event.deviceSeverity", for best practice use the event.deviceEventClassId

Leon

0 Likes
giordanimax Absent Member.
Absent Member.

Re: Flex Connector Categorization and Severity mapping not working

Thank you Lim for this information. really appreciated.

0 Likes
giordanimax Absent Member.
Absent Member.

Re: Flex Connector Categorization and Severity mapping not working

Hi David,

The path you specified in your post is for map files, however what I am trying to achieve is the categorization I have defined to show in the ESM UI.

Does categorization be done with map files too?

Regards,

Maxe

0 Likes
Frequent Contributor.. Szymon.Niedziel Frequent Contributor..
Frequent Contributor..

Re: Flex Connector Categorization and Severity mapping not working

Categorization and map files do not support null values.

You need to fill in something in the set.event.categoryTechnique

event.deviceSeverity,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome

22122,/Host/Application/Config,/Authentication/Verify,putsomethinghere,/Application/Zeus,/Informational/Warning,/Failure

22160,/Host/Application/Config,/Communicate/Query,putsomethinghere,/Application/Zeus,/Informational/Error,/Failure

23500,/Host/Application/Config,/Modify/Configuration,putsomethinghere,/Application/Zeus,/Informational/Error,/Failure

7041,/Host/Application/Config,/Modify/Configuration,putsomethinghere,/Application/Zeus,/Informational/Error,/Failure

Regards.

0 Likes
giordanimax Absent Member.
Absent Member.

Re: Flex Connector Categorization and Severity mapping not working

Hi Niedziela,

Thank you so much for having spot this - I missed that - will double check again and re-implement.

Cheers,

Regards,

Maxe

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.