Highlighted
zargaran Honored Contributor.
Honored Contributor.
201 views

How can I enable IPv6 support in ArcSight ESM?

Hi 

I am receiving all normalized logs as 1.0 CEF version from All Syslog Saemon Smart Connectors in Logger.

Then all events forwarded from Logger to ESM destination. Also in the Logger, I can search all logs and indexed fields without any problem. But all forwarded logs from Logger to ESM with IPv6 field value doesn't show in ArcSight Console. I think the main reason for this problem is disabling IPv6 support in ArcSight ESM. Is there any official solution for enabling IPv6 support in ArcSight ESM?

Logger version: 6.7

ESM Version: 7 SP1

BR

Amir

Labels (1)
0 Likes
6 Replies
Ajith K S Super Contributor.
Super Contributor.

Re: How can I enable IPv6 support in ArcSight ESM?

Hi @zargaran 

By default, ArcSight connectors should be able to capture and parse the IPv6 addresses as well. In your case, the issue could be because of using logger forwarder.

Can you try sending the events directly to ESM from the connector and see if the events with IPv6 addresses get captured in ESM.


Regards

Ajith K S

0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: How can I enable IPv6 support in ArcSight ESM?

Thanks, @Ajith K S 

Unfortunately, it is not possible to send directly from the Connector to ESM. 

I have about ~50 Smart Connectors and the license type of ESM does not support this number of Connectors.

I haven't alternative choice for collecting logs, except forwarding all logs from Logger to ESM.

 

BR

Amir

0 Likes
Ajith K S Super Contributor.
Super Contributor.

Re: How can I enable IPv6 support in ArcSight ESM?

Hi Amir,

I understand the situation. But for figuring out if the issue is with logger forwarder or not, try configuring ESM destination for one connector for which you expect IPv6 information.

 

Regards

Ajith K S

mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: How can I enable IPv6 support in ArcSight ESM?

Hi Zargaran,

Are-you sure about this because according to what I know the ESM license is not based on agent number  but it is based on EPS or data ingest, devices and number of console users (+ Actors).

We have more than 100 SmartConnectors and we have not a license for those connectors.
You can check this in ESM into the License History AL.

To reply to your first question, ESM support IPv6 from v6.11.

Currently, IPv6 IP Address are only parsed in specific deviceCustomString fields but with ESM v6.11 and later, they have built new IPv6 fields like sourceAddressIPv6.

To do that they have to rebuilt the DB Event Schema, this is why it is after ESM v6.11.

If you have any question, do not hesitate to contact me.

Thanks
Regards

Michael

0 Likes
zargaran Honored Contributor.
Honored Contributor.

Re: How can I enable IPv6 support in ArcSight ESM?

Dear Michael
As I said before, I set the Syslog daemon connector as 1.0 CEF type support.
Do I need to make or change specific configuration for ArcSight ESM to be able to display IPv6 fields like sourceAddressIPv6 in Console?

Regards,
Amir
0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: How can I enable IPv6 support in ArcSight ESM?

Hi Zargaran,

I am not sure to understand you.

In ArcSight Console, you have just to choose the proper fieldsets to show all fields you want.

But as I told you, to see the sourceAddress (IPv6) fields you need to upgrade ESM to v6.11.

If you do not upgrade, this info can be available ONLY in Device Custom IPv6 Address fields as an IP or in deviceCustomString fields as a string but this depends of your parser.

Could you please send me a rawEvent where there is an IPv6 value and what do you see in the above field? (if it is populated or not) because normally default connector should already parse this type of data.

It will be easier for me with a practical example you have met.

Thanks
Regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.