Import of Windows Event Logs (evtx) and Oracle DB Audit Logs
Due to special circumstances, would like to check if it is possible to import the following into ArcSight:
- Windows Event Logs (evet)
- Oracle DB Audit Logs
We have both of the logs backup and we require a way to import it into ArcSight.
Any help would be valuable.
There are specific smartconnectors you can use to import those events. Here is the connector documentation. Just look for the Oracle Audit Log and Windows Event log connectors. Please let me know whether or not this is what you're looking for.
For Oracle DB Audit logs - check the documentation - its a file usually and this is OK to process.
For Windows EVTX files, this is a little more complicated.
You have a couple of options - import the events into a Windows system to then read the logs in, or export the logs to a text file and then process in from there. Actually, the second option is the easier one and I would recommend it. There are a couple of ways to do this:
Use the Microsoft tool to parse the data out in to a CSV file
Once you have the CSV file, you will need to use a FlexConnector to read the data in, but it should be pretty straightforward. There is no standard Connector for this as the process of exporting and extracting is unique most of the time and hence we can't create a standard parser for it. But the CSV data should be pretty straightforward to write.
Alternatively, you can use Snare to read the EVT / EVTX files.
Download it, get it to process the file and it will generate Syslog messages that you can direct to a syslog SmartConnector. Pretty simple and straightforward. The great thing is that we know what Snare is and will process the messages, but expect a 90% hit rate though, Snare isnt perfect and it can get the processing wrong occasionally and this will mess things up a little. But its easy.
Finally, you can try importing the EVT files into a system - instructions attached. This is old, complex and a little hard. So dont trust the documentation and note that this is unsupported.
Hi Gayan / Erdy,
We already has smartconnector setup for Oracle DB & Windows events logs.
But we would like to import logs collected into ArcSight before it was setup.
Thanks for the suggestion.
Have look at the FlexConnector documentation, it might just be the one we need.
Currently exploring with the mapping.