pserrano1 Absent Member.
Absent Member.
820 views

Parse Access Mask on Windows Unified. Not working

Jump to solution

Hi all,

working with Windows Unified connector.

I´m trying to parse the Access Mask reported by EventID=560.

I have created the following parse file and copied under \current\user\agent\fcp\windowsfg\windows_2003 but does´t work. Any suggestion?

accessmask.JPG

security.sdkkeyvaluefilereader.properties

#### BEGIN PARSER ###################################
key.delimiter=&&
key.value.delimiter=:
key.regexp=([^&=]+)

additionaldata.enabled=true

event.deviceVendor=__getVendor(Device Vendor)
event.deviceProduct=__stringConstant(Device Product)

conditionalmap.count=1
conditionalmap[0].field=event.event.externalId
conditionalmap[0].mappings.count=1

conditionalmap[0].mappings[0].values=560
conditionalmap[0].mappings[0].event.deviceCustomString5=key[38]
#### END PARSER ######################################

thanks

Labels (2)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
binkie_jhs1 Absent Member.
Absent Member.

Re: Parse Access Mask on Windows Unified. Not working

Jump to solution

Pedro,

Shouldn't you be using a 'security.keymap.properties' file? (which means you see an entry regarding event 560 in your logs)

in .../current/user/agent/fcp/windowsfg/windows_2003

If so you'd need something like below (but for 560):

"565","Object Open (Active Directory)","Object Server","Object Type","Object Name","New Handle ID","Operation ID","Process ID","Process Name","Primary User Name","Primary Domain","Primary Logon ID","Client User Name","Client Domain","Client Logon ID","Accesses","Privileges","Properties","Access Mask"

If you need the location & name for a parser override, check out https://arcsight.custhelp.com/cgi-bin/arcsight.cfg/php/enduser/popup_adp.php?p_faqid=3842

laters, jhs

0 Likes
5 Replies
guggilamsandeep Respected Contributor.
Respected Contributor.

Re: Parse Access Mask on Windows Unified. Not working

Jump to solution

You have to change the name "security.sdkkeyvaluefilereader.properties".

if the event is from Event Log: "System" and Event Source: "Service Control Manager", then the file name should be like "system.service_control_manager.sdkkeyvaluefilereader.properties"

After changing name, restart connector service and try. Post the result

Thanks

Sandeep

0 Likes
pserrano1 Absent Member.
Absent Member.

Re: Parse Access Mask on Windows Unified. Not working

Jump to solution

MS-EVENT.JPG

Hi Sandeep,

first of all, thanks for your answer.

About your recomendation I have tested but I have same result. The events came´s from event log "Security" and Event Source "Security" like you can see at the attached bitmap. The name of the new parse should be security.security.sdkkeyvaluefilereader.properties but I have tested and didn´t work.

Looks like the file sdkkeyvaluefilereader.properties is not loaded by the connector.

I have copied the file under current\user\agent\fcp\windows_2003 folder but looks like is not readed by the process never.

Is necesary to configure something else to WUnified loads this parser?

The connector version is

5.1.1.5782.0

Thanks

0 Likes
Highlighted
binkie_jhs1 Absent Member.
Absent Member.

Re: Parse Access Mask on Windows Unified. Not working

Jump to solution

Pedro,

Shouldn't you be using a 'security.keymap.properties' file? (which means you see an entry regarding event 560 in your logs)

in .../current/user/agent/fcp/windowsfg/windows_2003

If so you'd need something like below (but for 560):

"565","Object Open (Active Directory)","Object Server","Object Type","Object Name","New Handle ID","Operation ID","Process ID","Process Name","Primary User Name","Primary Domain","Primary Logon ID","Client User Name","Client Domain","Client Logon ID","Accesses","Privileges","Properties","Access Mask"

If you need the location & name for a parser override, check out https://arcsight.custhelp.com/cgi-bin/arcsight.cfg/php/enduser/popup_adp.php?p_faqid=3842

laters, jhs

0 Likes
pserrano1 Absent Member.
Absent Member.

Re: Parse Access Mask on Windows Unified. Not working

Jump to solution

Hi jhs,

using the security.keymap.csv I could see the access mask data at Aditional data... I will try to map to a normal field, but looks good!

I´m not sure why the conditional file security.security.sdkkeyvaluefilereader.properties does´nt work. Only security.keymap.csv. load this data. So if you need to regex the field...

Thanks!

0 Likes
guido.moscarell Respected Contributor.
Respected Contributor.

Re: Parse Access Mask on Windows Unified. Not working

Jump to solution

So...once you are able to see the filed in the additional data using the security.keymap.csv, how do you map this filed in a standard filed (not ad)?

Thanks,

Guido

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.