Highlighted
Absent Member.
Absent Member.
952 views

Flex Connector Categorization and Severity mapping not working

Hi All,

I am developing a folder file reader Flex Connector. I have created the regex, did the mapping , created some sub messages.

So far I can see what I want despite few issues which can be sorted easily, However, when it comes to the categorization it does not seem to pick up or get what i have defined under in my categorization file and nothing show in the Arcsight Console UI.

--> Here is a sample of the log:

Tue Aug 18 12:51:48 2015.554 Std 22160 doesn't match with mode [zest], flag [1234].

Tue Aug 18 12:51:48 2015.705 Std 22122 Client 70 failed to get authorization. Name [tata], type [tata], user [jim], address [IP_Address]. Reason : Authentication failed, user name or password is incorrect

Tue Aug 18 12:51:48 2015.705 Std 23500 Device: Fail [88989], object [-0908], task [08937] assignment , user name or password is incorrect

ARCSIGHT_HOME/user/agent/acp/categorizer/current/<device_vendor>/<device_product>.csv 

--> Here is the content of my "device_product.csv":

event.deviceSeverity,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome

22122,/Host/Application/Config,/Authentication/Verify,,/Application/Zeus,/Informational/Warning,/Failure

22160,/Host/Application/Config,/Communicate/Query,,/Application/Zeus,/Informational/Error,/Failure

23500,/Host/Application/Config,/Modify/Configuration,,/Application/Zeus,/Informational/Error,/Failure

7041,/Host/Application/Config,/Modify/Configuration,,/Application/Zeus,/Informational/Error,/Failure

ARCSIGHT_HOME\user\agent\flexagent\log.sdkrfilereader.properties 

--> Here is my Configuration File properties:

# FlexAgent Regex Configuration File

do.unparsed.events=true

comments.start.with=\#

start.at.line=29

trim.tokens=true

contains.empty.token=true

regex=(\\D+\\S+\\s+\\d+ \\d\\d:\\d\\d:\\d\\d) (\\d+.\\d+) Std\ (\\d+) (.*)

token.count=4

token[0].name=Timestamp

token[0].type=TimeStamp

token[0].format=EEE MMM dd HH:mm:ss

token[1].name= Toto

token[1].type=String

token[2].name=SubmessageIdToken

token[2].type=String

token[3].name=SubmessageToken

token[3].type=String

event.deviceReceiptTime=__useCurrentYear(Timestamp)

event.deviceVendor=__getVendor("mydevicevendor")

event.deviceProduct=__stringConstant(mydeviceproduct)

event.deviceCustomString1Label=__stringConstant("Event Description")

event.deviceCustomString1=Toto

event.message=SubmessageToken

event.deviceHostName=__stringConstant("MyDeviceTest")

event.deviceSeverity=SubmessageIdToken

severity.map.high.if.deviceSeverity=22122,23500

severity.map.medium.if.deviceSeverity=22160

severity.map.low.if.deviceSeverity=07041

Can someone tell me what I am doing wrong please? or what I am missing please?

Regards,

Max

Labels (2)
0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

I think the map file supposed to be under ARCSIGHT_HOME/user/agent/map/map.<id of the map file. Zero is first>.properties

0 Likes
Highlighted
Super Contributor.
Super Contributor.

What is in log files?

ARCSIGHT_HOME/current/logs/agent.log

ARCSIGHT_HOME/current/logs/agent.out.wrapper.log

0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Don't use the "event.deviceSeverity", for best practice use the event.deviceEventClassId

Leon

0 Likes
Highlighted
Absent Member.
Absent Member.

Thank you Lim for this information. really appreciated.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi David,

The path you specified in your post is for map files, however what I am trying to achieve is the categorization I have defined to show in the ESM UI.

Does categorization be done with map files too?

Regards,

Maxe

0 Likes
Highlighted
Frequent Contributor.. Frequent Contributor..
Frequent Contributor..

Categorization and map files do not support null values.

You need to fill in something in the set.event.categoryTechnique

event.deviceSeverity,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome

22122,/Host/Application/Config,/Authentication/Verify,putsomethinghere,/Application/Zeus,/Informational/Warning,/Failure

22160,/Host/Application/Config,/Communicate/Query,putsomethinghere,/Application/Zeus,/Informational/Error,/Failure

23500,/Host/Application/Config,/Modify/Configuration,putsomethinghere,/Application/Zeus,/Informational/Error,/Failure

7041,/Host/Application/Config,/Modify/Configuration,putsomethinghere,/Application/Zeus,/Informational/Error,/Failure

Regards.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Niedziela,

Thank you so much for having spot this - I missed that - will double check again and re-implement.

Cheers,

Regards,

Maxe

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.