ESM 5.0 added fields to Device Custom to accomidate IPv6 addresses, Device Custom IPv6 Address1-4. Not sure if any of the standard SmartConnectors are set up to use them however.
Don't recall logger having any fields to accomidate them yet.
Below are the new fields from the v5.0 reference guide
|Group||Label||Script Alias||Data Type||Description|
|Device Custom||IPV6 Address1 Label||deviceCustomIPv6Address1||String||First custom IPV6 address|
|Device Custom||IPV6 Address1||deviceCustomIPv6Address1Label||IPV6 address||First custom IPV6 address label|
|Device Custom||IPV6 Address2 Label||deviceCustomIPv6Address2||String||Second custom IPV6 address|
|Device Custom||IPV6 Address2||deviceCustomIPv6Address2Label||IPV6 address||Second custom IPV6 address label|
|Device Custom||IPV6 Address3 Label||deviceCustomIPv6Address3||String||Third custom IPV6 address|
|Device Custom||IPV6 Address3||deviceCustomIPv6Address3Label||IPV6 address||Third custom IPV6 address label|
|Device Custom||IPV6 Address4 Label||deviceCustomIPv6Address4||String||Fourth custom IPV6 address|
|Device Custom||IPV6 Address4||deviceCustomIPv6Address4Label||IPV6 address||Fourth custom IPV6 address label|
I attempted to get IPv6 working via CEF today without any luck. (ESM 18.104.22.16842.2, Connector 22.214.171.12470.0)
I created a CEF file destination for a Windows Server 2008 box running IPv6, then read the file into ESM using a connector on another box. All address fields, including the customipv6 fields were blank in ESM despite being able to see the IPv6 address in the raw event.
CEF:0|Microsoft|Microsoft Windows||Microsoft-Windows-Security-Auditing:5156|The Windows Filtering Platform has allowed a connection.|Low| eventId=119 externalId=5156 categorySignificance=/Informational categoryBehavior=/Communicate/Query categoryDeviceGroup=/Operating System categoryOutcome=/Success categoryObject=/Host/Application/Service art=1309276928705 cat=Security deviceSeverity=Audit_success rt=1309276926000 spt=546 dhost=WIN2008X64 cs2=12810 cs3=Microsoft-Windows-Security-Auditing cs1Label=Accesses cs2Label=EventlogCategory cs3Label=EventSource cs4Label=Reason or Error Code cs5Label=Authentication Package Name cs6Label=Object Name cn1Label=LogonType cn2Label=New Process ID ahost=WIN2008X64 av=126.96.36.19970.0 atz=America/New_York aid=G5H41jABABCAAZsjU2aqBQ\=\= at=nt_local dvchost=WIN2008X64 dtz=America/New_York _cefVer=0.1 ad.Application_,Information=Process ID\=956 ad.Destination_,Port=547 ad.Filter_,Information=Filter Run-Time ID\=65551 ad.Layer_,Name=%%14611 ad.Application_,Name=\\device\\harddiskvolume1\\windows\\system32\\svchost.exe ad.Network_,Information=Direction\=%%14593 ad.Layer_,Run-Time_,ID=50 ad.Protocol=17 ad.Source_,Address=fe80::510e:3eef:2bbe:7ab8 ad.Destination_,Address=ff02::1:2
So far, the only way I've been able to get an IPv6 address in ESM is to use the test alert connector and manually put the address in the Device Custom IPv6 Address field using the event crafting GUI.
I thought I'd share this too. This is what happens if you try to put an IPv6 address in the source address field.
[ERROR] Unable to pase [fe80::510e:3eef:2bbe:7ab8] as an ip address f or field [Source Address]
Hey guys, any update on IPv6 support? I'm looking for more current info about IPv6 monitoring (on ESM 6.5), specifically on how I can manage assets/network zones and specify IPv6 conditions in rules, filters, queries, etc. Any more info/doc materials at all would be great, thanks!
Nope, HP does not have a network/asset/zone model for IPv6. There is no documentation on it as it does not exist. There are just a few things that HP says that works in ESM v6.5 and they do not work. You should join the IPv6 Support group to see some of the posts there.