pratikp Absent Member.
Absent Member.

Re: Issues with Velocity Template

Jump to solution

Dear Michael,

My Arcsight system is behaving weird.

I performed suggested test. It started working, then I removed name field in actions and change flexString 1 name from TEST to Notify.

It again stopped working.

Now I have changed name to "NOTIFY" instead of "Notify" to test something.

Lets see .I will update you the status.

Thanks & Regards,

Pratik

0 Likes
enrico.proietti Trusted Contributor.
Trusted Contributor.

Re: Issues with Velocity Template

Jump to solution

Hi Pratik,

I am not sure if this is the problem, but in your Email.vm file, in the last comment you need to insert a space character after the "##" in the "##parse ("Informative.vm")" line.

How Michael suggest, check for the "IandM/IandM_rule.vm" directory and file permission (-rwxrwxr-x. 1 arcsight arcsight).

You can see in the velocity log "/opt/arcsight/manager/logs/default/velocity.log", if there are any errors also.

Regards,

Enrico

0 Likes
pratikp Absent Member.
Absent Member.

Re: Issues with Velocity Template

Jump to solution

Dear Enrico,

I doubt the issue is with space because its not parsing Informative.vm which I wanted.

I found issue is with IandM_rule.vm template which is being used because when I used below template shared by Mr. Balahasan, its working fine . but when I modify to add more fields its stop working.  

Template shared by Balahasan:

 

## This is a velocity macro file...

 

## The following fields are defined in the velocity macro.

 

## event == the event which needs to be sent.

 

## WEBROOT == root of the myarcsight

 

## EVENT_URL == root of the event alert.

 

## NOTIFICATION_URL = root of the notification.

 

 

Event Name:             $introspector.getDisplayValue($event,"name")

 

Event Start Time:       $introspector.getDisplayValue($event,"startTime")

 

Attacker Host Name: $introspector.getDisplayValue($event,"attackerHostName")

 

Target Host Name: $introspector.getDisplayValue($event,"targetHostName")

 

Target User Name: $introspector.getDisplayValue($event,"targetUserName")

 

Device Vendor:          $introspector.getDisplayValue($event,"deviceVendor")

 

Device Product:         $introspector.getDisplayValue($event,"deviceProduct")

 

String4.Reason or Error Code: $introspector.getDisplayValue($event,"deviceCustomString4")

 

 

--------------------------------------------------------------------

 

How to Respond

 

--------------------------------------------------------------------

 

This message can be acknowledged in any of the following ways:

 

1) Reply to this email. Make sure that the notification ID listed

 

      in this message is present in your reply)

 

2) Login to the ArcSight Console and click on the notification button

 

      on the status bar

 

3) Login to myArcSight and go to the My Notifications Acknowledgment page at

 

${NOTIFICATION_URL}

 

 

To view the full alert please go to:

 

${EVENT_URL}

 

Template which I want to use:

 

## This is a velocity macro file...

 

## The following fields are defined in the velocity macro.

 

## event == the event which needs to be sent.

 

## WEBROOT == root of the myarcsight

 

## EVENT_URL == root of the event alert.

 

## NOTIFICATION_URL = root of the notification.

 

 

Threat Details

 

Event: $introspector.getDisplayValue($event,"name")

 

Event Time: $introspector.getDisplayValue($event,"endTime")

 

Description: $introspector.getDisplayValue($event,"message")

 

Severity: $introspector.getDisplayValue($event,"severity")

 

 

-----------------------------------------------------------------

 

Device Details

 

Device IP: $introspector.getDisplayValue($event,"deviceIPAddress")

 

Device Vendor: $introspector.getDisplayValue($event,"deviceVendor")

 

Device Product: $introspector.getDisplayValue($event,"deviceProduct")

 

 

------------------------------------------------------------------

 

Source Details

 

Source Address: $introspector.getDisplayValue($event,"attackerAddress")

 

Source Host Name: $introspector.getDisplayValue($event,"attackerHostName")

 

Source Port: $introspector.getDisplayValue($event,"sourcePort")

 

Source User Name: $introspector.getDisplayValue($event,"sourceUserName")

 

 

 

------------------------------------------------------------------

 

Target Details

 

Target Address: $introspector.getDisplayValue($event,"targetAddress")

 

Target Host Name: $introspector.getDisplayValue($event,"targetHostName")

 

Target Port: $introspector.getDisplayValue($event,"targetPort")

 

Target User Name: $introspector.getDisplayValue($event,"targetUserName")

 

 

 

------------------------------------------------------------------

 

Category Details

 

Category Behavior: $introspector.getDisplayValue($event,"categoryBehavior")

 

Category Device Group: $introspector.getDisplayValue($event,"categoryDeviceGroup")

 

Category Object: $introspector.getDisplayValue($event,"categoryObject")

 

Category Outcome: $introspector.getDisplayValue($event,"categoryOutcome")

 

Category Significance: $introspector.getDisplayValue($event,"categorySignificance")

 

Category Technique: $introspector.getDisplayValue($event,"categoryTechnique")

 

 

------------------------------------------------------------------

 

Extra Information (where applicable)

 

Bytes Out: $introspector.getDisplayValue($event,"bytesOut")

 

Database Name: $introspector.getDisplayValue($event,"deviceExternalID")

 

Table Name: $introspector.getDisplayValue($event,"fileName")

 

Transport Protocol: $introspector.getDisplayValue($event,"transportProtocol")

 

Base Event Count: $introspector.getDisplayValue($event,"baseEventCount")

 

 

--------------------------------------------------------------------

 

How to Respond

 

--------------------------------------------------------------------

 

This message can be acknowledged in any of the following ways:

 

1) Reply to this email. Make sure that the notification ID listed

 

      in this message is present in your reply)

 

2) Login to the ArcSight Console and click on the notification button

 

      on the status bar

 

3) Login to myArcSight and go to the My Notifications Acknowledgment page at

 

${NOTIFICATION_URL}

 

 

To view the full alert please go to:

 

${EVENT_URL}

Also I found errors in Velocity.log file as below

Mon May 25 16:48:18 EAT 2015  [error] ResourceManager : unable to find resource 'VM_global_library.vm' in any resource loader.

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : error using  VM library template VM_global_library.vm : org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource 'VM_global_library.vm'

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro :  VM library template macro registration complete.

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : allowInline = true : VMs can be defined inline in templates

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : allowInlineToOverride = false : VMs defined inline may NOT replace previous VM definitions

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : allowInlineLocal = false : VMs defined inline will be  global in scope if allowed.

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : messages on  : VM system will output logging messages

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : autoload off  : VM system will not automatically reload global library macros

Mon May 25 16:48:18 EAT 2015   [info] Velocimacro : initialization complete.

Mon May 25 16:48:18 EAT 2015   [info] Velocity successfully started.

Mon May 25 16:48:18 EAT 2015   [info] ResourceManager : found Email.vm with loader org.apache.velocity.runtime.resource.loader.FileResourceLoader

Mon May 25 16:48:18 EAT 2015   [info] ResourceManager : found IandM/IandM_rule.vm with loader org.apache.velocity.runtime.resource.loader.FileResourceLoader

Mon May 25 16:48:18 EAT 2015  [error] Method getDisplayValue threw exception for reference $introspector in template IandM/IandM_rule.vm at  [13,12]

Can you help me in understanding this ?

Regards,

Pratik

 

 

 

 

0 Likes
Highlighted
enrico.proietti Trusted Contributor.
Trusted Contributor.

Re: Issues with Velocity Template

Jump to solution

Hi Pratik,

I think the error is in the "Device IP: $introspector.getDisplayValue($event,"deviceIPAddress")" line, the fields name you need is "deviceAddress" and not "deviceIPAddress".

Regards,

Enrico

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Issues with Velocity Template

Jump to solution

Hi Patrik,

Exactly! as Enrico said.

It is the template issue.

Now the notification is still empty when you use generatorName?

Thanks

Regards

Michael

0 Likes
pratikp Absent Member.
Absent Member.

Re: Issues with Velocity Template

Jump to solution

Dear All,

Template issue has been resolved.

I modified working template which has been shared by Mr. Balahasan and solved issues related to Case sensitive words.

Issues with case sensitivity and proper formatting of expressions.

Thank you all for assistance.

Regards,

Pratik

0 Likes
santosh.barnwal Regular Contributor.
Regular Contributor.

Re: Issues with Velocity Template

Jump to solution
hi Pratik,
0 Likes
santosh.barnwal Regular Contributor.
Regular Contributor.

Re: Issues with Velocity Template

Jump to solution
Could you share the working template.
0 Likes
Fred McGhee Respected Contributor.
Respected Contributor.

Re: Issues with Velocity Template

Jump to solution
Hello Pratik, can you share the template ??
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.