UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Commodore Commodore
Commodore
2387 views

Map File(s) Fail

Jump to solution

We've installed and configured the Symantec Endpoint Protection DB smart connector.

We've also "Map'd an Additional Data Name", (Mappings for Symantec\Endpoint_Protection:GROUP_ID=>flexString1), which we've confirmed is working. This populates the string "9C39DE190AC40F1C009D3F5ACBB02B19" in the field flexString1.

However, we're also trying to add two map files to D:\ArcSightSmartConnectors\NADTC3-CONW007-SEP1\current\user\agent\map:

map.0.properties:

set.event.customerURI

/All Customers/CompanyName

map.1.properties:

!Flags,Overwrite

event.flexString1,set.event.customerURI

9C39DE190AC40F1C009D3F5ACBB02B19,/All Customers/CompanyName - Division

Even-though we've tried numerous combinations in the map file(s), we have been unable to have the value in flexString1, 9C39DE190AC40F1C009D3F5ACBB02B19,  map to "/All Customers/CompanyName - Division" and populate the value "/All Customers/CompanyName - Division" into the "customerURI" field whenever the string "9C39DE190AC40F1C009D3F5ACBB02B19" is encountered by the flexstring1 field..

The "map.0.properties" file is working and populating the value "/All Customers/CompanyName" in the field "customerURI". But the "map.1.properties" file is not working and is leaving the value "/All Customers/CompanyName" that was populated in the "customerURI" field by map.0.properties. So it appears that map.1.properties is being ignored.

Does anyone have any ideas on what we're doing wrong here?

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Commodore Commodore
Commodore

We have resolved our issue via parser overrides:

For the Symantec Endpoint smart connector, we constructed the same parser override for each of the log types (IDs) that the connector retrieves logs from (agent, agent-behavior, agent-security, agent-traffic, alerts, scans, server, server-admin, server-policy, and virus-category). We used the same parser override file for each of these log types (IDs):

12_x.sdkibdatabase.properties:

token.count=1

token[0].name=GROUP_ID

token[0].type=String

event.flexString1=GROUP_ID

This populates the GROUP_ID into the ArcSight field, "flexString1" _before_ the map files are processed.

This file is saved in folders which represent each of the log types (IDs) (\agent, \agent-behavior, \agent-security, \agent-traffic, \alerts, \scans, \server, \server-admin, \server-policy, and \virus-category)

Then these folders, each with the same parser override file (12_x.sdkibdatabase.properties) contained in each of them, are saved to \symantecendpointprotection_db. Finally, "\symantecendpointprotection_db" is saved under "\current\user\agent\fcp".

example: \current\user\agent\fcp\symantecendpointprotection_db\agent\12_x.sdkibdatabase.properties

The map files, we used before, still remain under \current\user\agent\map and work with these parser overrides.

Hopefully this benefits others who are trying to separate a single instance of Symantec Endpoint Protection logs into different ArcSight "Companies" based-on the group ids created in Symantec.

View solution in original post

0 Likes
13 Replies
Micro Focus Expert
Micro Focus Expert

Hi Richard-

I just tested what you wrote, and it works for me...

What version of the Connector are you using? I tested with 7.3.0.7886.0

Try this:

- stop the connector then start the connector. This is one way to force reload the map files.

Search the agent.log file for the loading of the map files. There may be more valuable information in there about what is going on.

0 Likes
Fleet Admiral
Fleet Admiral

Hi Richard,

It seems you have all mapping in map.0 and additional duplication in map.1. So in such situation connector ignore the map.1 file.

Cheers

Gayan

Mr
0 Likes
Commodore Commodore
Commodore

Hi Aaron,

We're running Framework Version 7.3.0.7886.0 and Parser Version 7.3.2.7947.0

I've been restarting the connector each time I try different variations of map.0.properties and/or map.1.properties. But here's the only log entries, related-to map.0.properties and map.1.properties, in agent.log after the connector is restarted:

[2016-11-28 07:31:44,992][INFO ][default.com.arcsight.agent.cf.g][getInputStream] Resource [map.0.properties] found in [D:\ArcSightSmartConnectors\xxxxxxx\current\user\agent\map\map.0.properties]

[2016-11-28 07:31:45,007][INFO ][default.com.arcsight.agent.cf.g][getInputStream] Resource [map.1.properties] found in [D:\ArcSightSmartConnectors\xxxxxxx\current\user\agent\map\map.1.properties]

[2016-11-28 07:31:45,007][INFO ][default.com.arcsight.agent.cf.g][getInputStream] Resource [map.2.properties] not found in any of the usual places

[2016-11-28 07:31:45,007][INFO ][default.com.arcsight.agent.loadable._AgentNATProcessor][init] Loaded [2] map files successfully.

I searched the entire agent.log, looking-for anything with "map" in the log file. From what I can see, the connector loads these map files with no issues. Unfortunately, there's no indication of issues in agent.log.

0 Likes
Commodore Commodore
Commodore

Hi Gayan,

We've tried a number of combinations for map.0.properties and map.1.properties....including removing map.0.properties, all-together, and renaming map.1.properties to map.0.properties...then restarting the connector. When we do this, customerURI does not get populated at all.

Also, we added "!Flags,Overwrite", to map.1.properties, in the hopes that whatever gets populated via map.0.properties:

set.event.customerURI

/All Customers/CompanyName

is replaced with the values set in the map.1.properties, whenever the value "9C39DE190AC40F1C009D3F5ACBB02B19" is encountered in flexString1:

!Flags,Overwrite

event.flexString1,set.event.customerURI

9C39DE190AC40F1C009D3F5ACBB02B19,/All Customers/CompanyName - Division

I am "assuming" that's how the entry "!Flags,Overwrite" works...but I'm not totally sure.

0 Likes
Fleet Admiral
Fleet Admiral

Hi Richard,

map.0.properties:

set.event.customerURI

/All Customers/CompanyName

map.1.properties:

event.flexString1,set.event.customerURI

9C39DE190AC40F1C009D3F5ACBB02B19,/All Customers/CompanyName - Division

Try this 2 map file. it should work.

Cheers

Gayan

Mr
0 Likes
Commodore Commodore
Commodore

Hi Gayan,

We believe we figured-out the issue...but it's bad news for us:

We "Map an Additional Data Name" with flexString1 to obtain the string "9C39DE190AC40F1C009D3F5ACBB02B19" from the Group_ID field which resides-in the Symantec SQL database schema.

Unfortunately, we believe "Map an Additional Data Name" actually takes place after the map files are processed. We think we've established this point by "Enabling Map File Logging" and "Getting Collected Map File Logging" (Via Console: Connectors/Shared/your connector/Send Command/Tech Support/). Below is one of the map file log entries:

Getter fields [flexString1] have values [||] -- nothing set

Since the string value (9C39DE190AC40F1C009D3F5ACBB02B19) for flexString1 is not obtained (via "Mapped Additional Data Name") before the map files are processed, "9C39DE190AC40F1C009D3F5ACBB02B19,/All Customers/CompanyName - Division" will not work for the "map.1.properties" file.

We went further by performing a test by replacing the field, "flexString1", with "destinationAddress". "destinationAddress" does not use  "Getting Collected Map File Logging", therefore the values are populated-in "destinationAddress" before the map files are processed:

map.0.properties:

set.event.customerURI

/All Customers/CompanyName

map.1.properties:

Flags,Overwrite

event.destinationAddress,set.event.customerURI

0.0.0.0,/All Customers/CompanyName - Division

This test worked...but it's not what we want.

Now the challenge is to figure-out how to get "flexString1" populated with Symantec's "Group_ID" before the map files are processed...

Thanks for your and everyone's help!

0 Likes
Commodore Commodore
Commodore

We have resolved our issue via parser overrides:

For the Symantec Endpoint smart connector, we constructed the same parser override for each of the log types (IDs) that the connector retrieves logs from (agent, agent-behavior, agent-security, agent-traffic, alerts, scans, server, server-admin, server-policy, and virus-category). We used the same parser override file for each of these log types (IDs):

12_x.sdkibdatabase.properties:

token.count=1

token[0].name=GROUP_ID

token[0].type=String

event.flexString1=GROUP_ID

This populates the GROUP_ID into the ArcSight field, "flexString1" _before_ the map files are processed.

This file is saved in folders which represent each of the log types (IDs) (\agent, \agent-behavior, \agent-security, \agent-traffic, \alerts, \scans, \server, \server-admin, \server-policy, and \virus-category)

Then these folders, each with the same parser override file (12_x.sdkibdatabase.properties) contained in each of them, are saved to \symantecendpointprotection_db. Finally, "\symantecendpointprotection_db" is saved under "\current\user\agent\fcp".

example: \current\user\agent\fcp\symantecendpointprotection_db\agent\12_x.sdkibdatabase.properties

The map files, we used before, still remain under \current\user\agent\map and work with these parser overrides.

Hopefully this benefits others who are trying to separate a single instance of Symantec Endpoint Protection logs into different ArcSight "Companies" based-on the group ids created in Symantec.

View solution in original post

0 Likes
Commander
Commander

Hi Richard,

We are also facing same issue. I created parser override file as per your solution and placed it under the above mentioned path: \current\user\agent\fcp\symantecendpointprotection_db\agent\12_x.sdkibdatabase.properties. But it did not work for us.

Please let us know if any additional steps are required. thanks in advance.

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

I believe you can use additionaldata.fieldName in the map file syntax.

0 Likes
Commander
Commander

Hi Shaun,

Thank You for your quick response. Unfortunately we cannot use additionaldata fields as getters in map file.

0 Likes
Commodore Commodore
Commodore

It's been a while...but hopefully I've been able to piece-together what we did to accomplish this:

We resolved our issue using a two prong approach, Map Files and Parser Overrides:

Map Files:

The map files, we used, are under \current\user\agent\map:

map.0.properties:

set.event.customerURI

/All Customers/CompanyName

map.1.properties:

!Flags,Overwrite

event.flexString1,set.event.customerURI

9C39DE190AC40F1C009D3F5ACBB02B19,/All Customers/CompanyName - Division

Parser Override:

Then, we constructed a parser override for each of the log types (IDs) that the connector retrieves logs from (agent, agent-behavior, agent-security, agent-traffic, alerts, scans, server, server-admin, server-policy, and virus-category). We used the same parser override file for each of these log types (IDs):

12_x.sdkibdatabase.properties:

token.count=1

token[0].name=GROUP_ID

token[0].type=String

event.flexString1=GROUP_ID

This populates the GROUP_ID into the ArcSight field, "flexString1" _before_ the map files are processed.

This file is saved in folders which represent each of the log types (IDs) (\agent, \agent-behavior, \agent-security, \agent-traffic, \alerts, \scans, \server, \server-admin, \server-policy, and \virus-category)

Then these folders, each with the same parser override file (12_x.sdkibdatabase.properties) contained in each of them, are saved to \symantecendpointprotection_db. Finally, "\symantecendpointprotection_db" is saved under "\current\user\agent\fcp".

example: \current\user\agent\fcp\symantecendpointprotection_db\agent\12_x.sdkibdatabase.properties

With these two combinations, it populated the values in flexString1, 9C39DE190AC40F1C009D3F5ACBB02B19,  mapped to "/All Customers/CompanyName - Division" and populate the value "/All Customers/CompanyName - Division" into the "customerURI" field whenever the string "9C39DE190AC40F1C009D3F5ACBB02B19" was encountered by the flexstring1 field.

Hope this helps!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.