New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Lieutenant Commander
Lieutenant Commander
1772 views

Mapping more fields in ArcSight

Hi Team,

One of our customer, we have integrated SEP device. SEP device is using Sybase database, Symantec DB connector is supporting only for My SQL DB. So we have integrated SEP with Syslog. We are now getting logs. But few field are not mapping properly. Many fields are capturing in name field(i.e device action, user name, host name  etc).

I heard that there is option in ArcSight console for field mapping. Could you please suggest the steps or related document on how to do field mapping in Arcsight console.

Thanks for the support.

 

Regards,

Punith

0 Likes
2 Replies
Highlighted
Captain Captain
Captain

Hello Punith,

There is an option to map event fields to other fiels in the ArcSight events.
Allthough i do not know if this is what you are looking for.
This option works for fields that are not mapped yet (also known as additional data).

You can request a list of these additional data field by right clicking on a Connector via the ESM Console > Send Command > Mapping > Get additional data names.

when you have this list, you can map those by using the "Map Additional data name.." in the same menu.

 

This way you can get specific data in different fields.


When you are talking about cutting the data from the name field, i'd advice using a local variable to cut the field out of the name field. and writing it to specific fields using the Pre-persistant rules.

 

Hope this helps.

 

Roy

0 Likes
Highlighted
Vice Admiral
Vice Admiral

afaik, syslog smartconnector doesn't support SEP feed so basically your problem is not exactly mapping. It's that you are sending unsupported events. You need to "create" a connector so the best is to follow the flex dev guide.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.