This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
mmanring
Absent Member.
Absent Member.
‎2016-07-26 16:51
789 views

Syslog FlexConnector with IPv6

Jump to solution

So I have events coming from a DNS appliance that isn't supported by ArcSight and I have made a parser for it that somewhat works. One of the issues that it is having is when the event has IPv6 addresses instead of IPv4 addresses in it. Here is the relevant piece of an IPv4 and IPv6 event:

client 192.168.34.55#61213 (hostname.test.com): query: hostname.test.com IN A + (192.168.0.5)
client 2000:152:4f46:8a::d014#50454 (ing.clicktale.net): query: ing.clicktale.net IN AAAA + (2000:152:4f46:8a::5)

The first IP address is the source and the second is the destination. So I capture them in the FlexConnector as srcip (source) and dstip (destination) and then try to assign them with the following:

event.destinationAddress=__oneOfAddress(dstip)
event.sourceAddress=__oneOfAddress(srcip)
event.deviceCustomIPv6Address2Label=__stringConstant("Source IPv6 Address")
event.deviceCustomIPv6Address2=__stringToIPv6Address(srcip)
event.deviceCustomIPv6Address3Label=__stringConstant("Destination IPv6 Address")
event.deviceCustomIPv6Address3=__stringToIPv6Address(dstip)

If the event has the IP address in the IPv4 format, it seems to parse it fine. However, when it gets a IPv6 most of the fields are blank. But the IPv6 label fields (c6a2Label, c6a3Label) get set correctly. Any thoughts or comments would be helpful. I'm not sure if the cascade effect of setting the IPv4 then IPv6 is messing things up.

Labels (3)
Tags (2)
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
mmanring
Absent Member.
Absent Member.
‎2016-07-26 18:31

Jump to solution

Turns out it was not the parser at all, but the aggregation that I had set up on the connector. I didn't have all the necessary fields to do the aggregation correctly and so it was aggregating events that shouldn't have been and blanking fields. Tricky, tricky...

View solution in original post

0 Likes
Reply
Report Inappropriate Content
1 Reply
mmanring
Absent Member.
Absent Member.
‎2016-07-26 18:31

Jump to solution

Turns out it was not the parser at all, but the aggregation that I had set up on the connector. I didn't have all the necessary fields to do the aggregation correctly and so it was aggregating events that shouldn't have been and blanking fields. Tricky, tricky...

View solution in original post

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.