Mapping more fields in ArcSight
One of our customer, we have integrated SEP device. SEP device is using Sybase database, Symantec DB connector is supporting only for My SQL DB. So we have integrated SEP with Syslog. We are now getting logs. But few field are not mapping properly. Many fields are capturing in name field(i.e device action, user name, host name etc).
I heard that there is option in ArcSight console for field mapping. Could you please suggest the steps or related document on how to do field mapping in Arcsight console.
Thanks for the support.
There is an option to map event fields to other fiels in the ArcSight events.
Allthough i do not know if this is what you are looking for.
This option works for fields that are not mapped yet (also known as additional data).
You can request a list of these additional data field by right clicking on a Connector via the ESM Console > Send Command > Mapping > Get additional data names.
when you have this list, you can map those by using the "Map Additional data name.." in the same menu.
This way you can get specific data in different fields.
When you are talking about cutting the data from the name field, i'd advice using a local variable to cut the field out of the name field. and writing it to specific fields using the Pre-persistant rules.
Hope this helps.
afaik, syslog smartconnector doesn't support SEP feed so basically your problem is not exactly mapping. It's that you are sending unsupported events. You need to "create" a connector so the best is to follow the flex dev guide.