Highlighted
Respected Contributor.
Respected Contributor.
963 views

How to capture a part of string within an ESM field?

Jump to solution

Dear experts,

I hope you are doing great.

 

I am having the following issue that need your help/advice. We are receiving Arbor events on ESM. The architecture is the following: Arbor > UDP/514 > ConApp Connector > Logger > ESM.

On logger and ESM, we capture the following string as Device Event Class ID:

Blocked host XX.XX.XX.XX at 19:37 by Invalid Packets using TCP/5555 (PERSONAL-AGENT) destination YY.YY.YY.YY source port 23872

Basing on the above string, I would like to capture the following information:

Source Address: XX.XX.XX.XX

Destination Address: YY.YY.YY.YY

Device Custom String 1: Invalid Packets

Device Custom String 2: TCP/5555 (PERSONAL-AGENT)

Destination Port: 5555

Source Port: 23872

 

Cause we are using this connector along with other source products such as F5, Oracle, etc hence using Flex Parser is not quite preferable.

Is there anyone can help to advice how we can archive this on ESM?

 

Regards,

Michael

0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

you can override the parser file. 

Regards

Gayan

Mr

View solution in original post

0 Likes
8 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hey @michael_hoang

So if i understand this correctly, the whole event is parsed into Device Event Class ID ? Then the parsing is quite wrong already.

When new logsources comes in, they are matched against a specific parser, and it is possible to extend only that parser using flex, so it does not affect other sources.

If you tail your agent.log and restart your connector, you should see something like this, which parser is set to your device?

][default.com.arcsight.agent.dp.i][add] Added new SubAgent. Subagents for device IP XYZ

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Dear Marius,

Thank you for your response.

 

I have checked and it is using Peakflox X syslog for parser.

Arbor is sending a lot of useful information but ArcSight wraps them all to a single event field. Because of that reason, I am trying to split them out and capture the useful information for further monitoring.

 

Regards,

Michael

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

So no other field is filled in, or is many fields filled in but Device Event ID has more information?

Do you have something in between that might mess with the syslog format? Like a central syslog server that forwards your events?

The information is not supposed to be added to that field which is why i am asking. If we manage to solve the issue then we do not need to do things like flex parsing and so 🙂

Also, which parser and framework version are you running on the connector?

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Hi Marius,

 

The Device Event Class ID is much more information than the other fields. We still see information in some field but most of the information is being wrapped into single field.

The Event is being forwarded directly from SmartConnector for Syslog Daemon to Logger.

 

Regards,

Anh

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hi Anh,

I agree with Marius. You need to fix the connector; this is not a job for ESM.

What are deviceVendor and deviceProduct in your events?

You last sentence isn't quit clear. Does Arbor send logs directly to the connector, or is there anything else?

Regards,

Heiko

 

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Dear Heiko,

Thank you for your reply.

 

Yes, I know this is a SmartConnector issue. However, it is complex to fix this issue on SmartConnector side.

The architecture is like this:

Arbor > SmartConnector for Syslog Daemon installed on Windows Server > Connector on ConApp > Logger > ESM.

 

From Arbor event, the device vendor and device product is correct (arbor and peakflow x).

Is there anyway that we can override the default parser for some certain events (example: if the event name is Blocked Host then use the flex one, otherwise using the default one)?

 

Regards,

Anh

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

you can override the parser file. 

Regards

Gayan

Mr

View solution in original post

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Just for someone may have the same concerned: We have re-directed the events which need to be re-parsed to another SmartConnector and developed the flex connector for it.

Thank all of you for the suggestions. Really appreciated it 🙂

 

Regards,

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.