Highlighted
Absent Member.
Absent Member.
1160 views

HP Arcsight support for parser override - any luck?


Is it just me or is it now more difficult to get answers from HP Arcsight support?

I need instructions on how to override the WUC default parser to get the server hostname from event 4624 and 4625 from a different field.

The default Windows 2008 mapping for source hostname is "One of (Subject:Client Name, Network Information:Workstation Name, Source Workstation, Additional Information:Client Name)". For our events 4624 and 4625 its triggers on "Network Information:Workstation Name", and unfortunately it is sometimes wrong.

It's been a couple of years now that almost every time I submit a ticket at HP Arcsight, I end up having to upload or provide numerous informations that are oftent irrelevent to the case submitted. To the point that I end up asking myself if it's done purposefuly to stall for time or pushing me to abandon the ticket.

It's been said often ont this site, we are PAYING for this kind of support and it makes me sick.

In desperation, I'm attemtpting to open the obfuscated stock parser to try to find a way to change that mapping. I was able to opent the AUP file and see every parsers subdirectories. I'm now trying to figure out a way to read the security.sdkkeyvaluefilereader.properties.arc...

Labels (2)
0 Likes
9 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Geting answers from Arcsight was never easy, but since ArcSight became an HP company, it is worse than ever. But it is not only the HP, we have same - or maybe worse - experience with IBM too.

Well, to your parser overiding ...
You can put your additional parser to the ... current\user\agent\fcp\additionalregexparsing\windowsfg directory.

The parsers file name must be : regex.0.dkfilereader.properties. If more parser files used,  increase the number. The files will be procesed in the order of these numbers.

As first line in the properties file, put the "source.field=<event.name>".

And then you can analyze the source field as in a regex flex connector.

0 Likes
Highlighted
Absent Member.
Absent Member.

Thank you.

I will look into that and get back here.

0 Likes
Highlighted
Absent Member.
Absent Member.

Here is what I ended up doing and it seems to be working. I still need to make sure it only applies to events 4624 and 4625 only: In (..)\current\user\agent\fcp\windowsfg\windows_2008\security.sdkkeyvaluefilereader.properties I put;

conditionalmap.count=1

conditionalmap[0].mappings.count=2

conditionalmap[0].override=true

conditionalmap[0].mappings[0].values=4624

conditionalmap[0].mappings[0].event.deviceNtDomain=Subject:Account Domain

conditionalmap[0].mappings[0].event.sourceHostName=Network Information:Source Network Address

conditionalmap[0].mappings[0].event.destinationProcessName=Process Information:Process Name

conditionalmap[0].mappings[0].event.destinationUserName=New Logon:Account Name

conditionalmap[0].mappings[0].event.destinationNtDomain=New Logon:Account Domain

conditionalmap[0].mappings[0].event.destinationUserId=New Logon:Logon ID

conditionalmap[0].mappings[0].event.deviceCustomString3=Process Information:Process ID

conditionalmap[0].mappings[0].event.deviceProcessName=Detailed Authentication Information:Logon Process

conditionalmap[0].mappings[0].event.deviceCustomString6=New Logon:Logon GUID

conditionalmap[0].mappings[1].values=4625

conditionalmap[0].mappings[1].event.deviceNtDomain=Subject:Account Domain

conditionalmap[0].mappings[1].event.sourceHostName=Network Information:Source Network Address

conditionalmap[0].mappings[1].event.destinationProcessName=Process Information:Caller Process Name

conditionalmap[0].mappings[1].event.destinationUserName=Account For Which Logon Failed:Account Name

conditionalmap[0].mappings[1].event.destinationNtDomain=Account For Which Logon Failed:Account Domain

conditionalmap[0].mappings[1].event.destinationUserId=Account For Which Logon Failed:Security ID

conditionalmap[0].mappings[1].event.deviceCustomString3=Process Information:Caller Process ID

conditionalmap[0].mappings[1].event.deviceProcessName=Detailed Authentication Information:Logon Process

conditionalmap[0].mappings[1].event.deviceCustomString6=Failure Information:Failure Reason

0 Likes
Highlighted
Absent Member.
Absent Member.

Well.

It turns out that the above did not aplly only to event 4626 and 4625. It ended up screwing other mappings.

I managed to find the correct mapping number for this WUC version on windows 2008 events:

#for 4624

conditionalmap[0].mappings[10].event.sourceHostName=Network Information:Source Network Address

#for 4625

conditionalmap[0].mappings[11].event.sourceHostName=Network Information:Source Network Address

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hello Elgee,

How did you find out to take the mappings 10 and 11?

Regards,

Richard

0 Likes
Highlighted
Absent Member.
Absent Member.

Extrapolation from other posts, plus trial and error.

0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

Howdy all, I'm brand new to Arcsight.  Support wanted me to edit our CheckPoint parser , they gave me the line to change, but no info about how to do it (con app).  Do they happen to document editing parsers anywhere?  I went through the different admin guides and all it said was to use ArcExchange to download parser overrides...when i did a search on the conapp there are only 2 parser overrides in the entire database....so i;m guessing this arcexchange parser override thing is not really being used anymore?

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Dustin, I'd recommend creating a new question discussion, and including the specific line that they want you to change. Someone will be able to guide you through the steps to get it loaded on your system.

0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

THanks Richard, Fortunately sense Jan 14th I've become all too familiar with parser overrides ;-D

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.