New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Lieutenant Commander
Lieutenant Commander
909 views

Import of Windows Event Logs (evtx) and Oracle DB Audit Logs

Hi All,

Due to special circumstances, would like to check if it is possible to import the following into ArcSight:

  • Windows Event Logs (evet)
  • Oracle DB Audit Logs

We have both of the logs backup and we require a way to import it into ArcSight.

Any help would be valuable.

Thanks.

0 Likes
5 Replies
Highlighted
Fleet Admiral
Fleet Admiral

I think you can install 2 connector. 1 for windows logs and other once Oracle DB. Then you can Import you logs to the connectors.

Cheers

Gayan

Mr
0 Likes
Highlighted
Absent Member.
Absent Member.

Hello Keng,

There are specific smartconnectors you can use to import those events. Here is the connector documentation. Just look for the Oracle Audit Log and Windows Event log connectors. Please let me know whether or not this is what you're looking for.

Warm regards,

Erdy Suarez

0 Likes
Highlighted
Absent Member.
Absent Member.

Oooops, here is the link: 

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

For Oracle DB Audit logs - check the documentation - its a file usually and this is OK to process.

For Windows EVTX files, this is a little more complicated.

You have a couple of options - import the events into a Windows system to then read the logs in, or export the logs to a text file and then process in from there. Actually, the second option is the easier one and I would recommend it. There are a couple of ways to do this:

Use the Microsoft tool to parse the data out in to a CSV file

Download Log Parser 2.2 from Official Microsoft Download Center

Once you have the CSV file, you will need to use a FlexConnector to read the data in, but it should be pretty straightforward. There is no standard Connector for this as the process of exporting and extracting is unique most of the time and hence we can't create a standard parser for it. But the CSV data should be pretty straightforward to write.

Alternatively, you can use Snare to read the EVT / EVTX files.

Snare by Intersect Alliance - Snare Epilog for Windows

Download it, get it to process the file and it will generate Syslog messages that you can direct to a syslog SmartConnector. Pretty simple and straightforward. The great thing is that we know what Snare is and will process the messages, but expect a 90% hit rate though, Snare isnt perfect and it can get the processing wrong occasionally and this will mess things up a little. But its easy.

Finally, you can try importing the EVT files into a system - instructions attached. This is old, complex and a little hard. So dont trust the documentation and note that this is unsupported.

0 Likes
Highlighted
Lieutenant Commander
Lieutenant Commander

Hi Gayan / Erdy,

We already has smartconnector setup for Oracle DB & Windows events logs.

But we would like to import logs collected into ArcSight before it was setup.

Hi Paul,

Thanks for the suggestion.

Have look at the FlexConnector documentation, it might just be the one we need.

Currently exploring with the mapping.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.