How can I enable IPv6 support in ArcSight ESM?
I am receiving all normalized logs as 1.0 CEF version from All Syslog Saemon Smart Connectors in Logger.
Then all events forwarded from Logger to ESM destination. Also in the Logger, I can search all logs and indexed fields without any problem. But all forwarded logs from Logger to ESM with IPv6 field value doesn't show in ArcSight Console. I think the main reason for this problem is disabling IPv6 support in ArcSight ESM. Is there any official solution for enabling IPv6 support in ArcSight ESM?
Logger version: 6.7
ESM Version: 7 SP1
By default, ArcSight connectors should be able to capture and parse the IPv6 addresses as well. In your case, the issue could be because of using logger forwarder.
Can you try sending the events directly to ESM from the connector and see if the events with IPv6 addresses get captured in ESM.
Ajith K S
Thanks, @Ajith K S
Unfortunately, it is not possible to send directly from the Connector to ESM.
I have about ~50 Smart Connectors and the license type of ESM does not support this number of Connectors.
I haven't alternative choice for collecting logs, except forwarding all logs from Logger to ESM.
I understand the situation. But for figuring out if the issue is with logger forwarder or not, try configuring ESM destination for one connector for which you expect IPv6 information.
Ajith K S
Are-you sure about this because according to what I know the ESM license is not based on agent number but it is based on EPS or data ingest, devices and number of console users (+ Actors).
We have more than 100 SmartConnectors and we have not a license for those connectors.
You can check this in ESM into the License History AL.
To reply to your first question, ESM support IPv6 from v6.11.
Currently, IPv6 IP Address are only parsed in specific deviceCustomString fields but with ESM v6.11 and later, they have built new IPv6 fields like sourceAddressIPv6.
To do that they have to rebuilt the DB Event Schema, this is why it is after ESM v6.11.
If you have any question, do not hesitate to contact me.
As I said before, I set the Syslog daemon connector as 1.0 CEF type support.
Do I need to make or change specific configuration for ArcSight ESM to be able to display IPv6 fields like sourceAddressIPv6 in Console?
I am not sure to understand you.
In ArcSight Console, you have just to choose the proper fieldsets to show all fields you want.
But as I told you, to see the sourceAddress (IPv6) fields you need to upgrade ESM to v6.11.
If you do not upgrade, this info can be available ONLY in Device Custom IPv6 Address fields as an IP or in deviceCustomString fields as a string but this depends of your parser.
Could you please send me a rawEvent where there is an IPv6 value and what do you see in the above field? (if it is populated or not) because normally default connector should already parse this type of data.
It will be easier for me with a practical example you have met.