Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Lieutenant Commander
Lieutenant Commander
211 views

WINC Connector "Security MSSQL|SQLIPackage" Parser Error

Jump to solution

Hello, 

I have an 8.0 version winc connector. Although there is no parser in the connector, I get the error "No match between string [Security] and regex [(MSSQL | SQLISPackage). *]". What is the reason?

Thank you

1 Solution

Accepted Solutions
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

For WiNC connector this comes from the sourcemap.csv.

In the WiNC guide 

https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-MS-Windows-Event-Log-Native-SmartConnector/ta-p/1585123?attachment-id=80306

There is mention on page 54 on creating an override map file...
But what they don't show you is what it is currently set to....

So I will show that here...

 

winc\core_maps\customereventsource.map.csv

#SourceChannel, SourceProviderNamePattern, TargetProviderName, TargetChannel
Application,SQLISPackage.*,MSSQLSERVER,Application
Application,MSSQL.*,MSSQLSERVER,Application
Exchange Auditing,MSExchangeIS Auditing,MSExchangeIS Auditing,Application

What this suggests is when we receive an event  into the activeMQ from a windows source using the WiNC connector, when that is processed we check the following patterns for a match.

From above this suggests the following for this line...

Application,MSSQL.*,MSSQLSERVER,Application

explained:  If an event comes in with SourceChannel=Application, and if that event has a SourceProviderName beginning with MSQL. (this because of use of the wildcard *)  then route this event to fcp\winc\application\mssqlserver.sdkkeyvaluefilereader.properties for parsing.

If for some reason, those events arrive as "Security" channel and not "Application" then the event parser will not be found in fcp\winc\security folder because it is actually located in the application folder.

This may be a result of forwarding said Application events through a servers Security channel.  Therefore seeing them as Security upon arrival to the connector.

How to fix this?

First get the unobfuscated parsers from where you download your connectors.   Should be a zip file with the word fcp in it.  Unzip it.  Search for the the winc directory.

Find the winc\core_maps directory.    Take the customeventsource.map.csv and edit it to include a new line for each Security channel item that needs to be routed to the Application parser.

For example...

Since you already have the line...

Application,MSSQL.*,MSSQLSERVER,Application

you don't want to break that default.  But you want to make sure if the same type of events arrive in the Security channel then you will route it to the same parsers, therefore  ADD the following to that file.

Security,MSSQL.*,MSSQLSERVER,Application

translating to.  If I receive an event in the Security channel that is of type MSSQL.* then route that to the mssqlserver parser located in the application folder for winc. 

Save a copy of that file in current\user\agent\fcp\winc\core_maps  folder of your WiNC connector.  stop and start the connector for the changes to take effect.   Monitor your logs for further similar errors.

Repeat with SQLISPackage as well.   

Documentation will suggest to only forward such events through like channels. 
But the core maps can be altered to address any unintended missed routes. 
This doesn't suggest that any particular event will actually be parsed, just that it may require alternative routing prior to parsing.   

Also note that core map can be used for custom events not otherwise currently parsed by us.
If you have a unique Windows application you want to parse which ArcSight doesn't yet parse.
Use the core_map to create a  route  to a custom parser you have written.

And of course share that with our Support team so we may consider it for inclusion in a future release.

Hope this helps.   

Any further detail may require a case to be opened.

Kind Regards,

Peter Halton

 

 

 

View solution in original post

1 Reply
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

For WiNC connector this comes from the sourcemap.csv.

In the WiNC guide 

https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-MS-Windows-Event-Log-Native-SmartConnector/ta-p/1585123?attachment-id=80306

There is mention on page 54 on creating an override map file...
But what they don't show you is what it is currently set to....

So I will show that here...

 

winc\core_maps\customereventsource.map.csv

#SourceChannel, SourceProviderNamePattern, TargetProviderName, TargetChannel
Application,SQLISPackage.*,MSSQLSERVER,Application
Application,MSSQL.*,MSSQLSERVER,Application
Exchange Auditing,MSExchangeIS Auditing,MSExchangeIS Auditing,Application

What this suggests is when we receive an event  into the activeMQ from a windows source using the WiNC connector, when that is processed we check the following patterns for a match.

From above this suggests the following for this line...

Application,MSSQL.*,MSSQLSERVER,Application

explained:  If an event comes in with SourceChannel=Application, and if that event has a SourceProviderName beginning with MSQL. (this because of use of the wildcard *)  then route this event to fcp\winc\application\mssqlserver.sdkkeyvaluefilereader.properties for parsing.

If for some reason, those events arrive as "Security" channel and not "Application" then the event parser will not be found in fcp\winc\security folder because it is actually located in the application folder.

This may be a result of forwarding said Application events through a servers Security channel.  Therefore seeing them as Security upon arrival to the connector.

How to fix this?

First get the unobfuscated parsers from where you download your connectors.   Should be a zip file with the word fcp in it.  Unzip it.  Search for the the winc directory.

Find the winc\core_maps directory.    Take the customeventsource.map.csv and edit it to include a new line for each Security channel item that needs to be routed to the Application parser.

For example...

Since you already have the line...

Application,MSSQL.*,MSSQLSERVER,Application

you don't want to break that default.  But you want to make sure if the same type of events arrive in the Security channel then you will route it to the same parsers, therefore  ADD the following to that file.

Security,MSSQL.*,MSSQLSERVER,Application

translating to.  If I receive an event in the Security channel that is of type MSSQL.* then route that to the mssqlserver parser located in the application folder for winc. 

Save a copy of that file in current\user\agent\fcp\winc\core_maps  folder of your WiNC connector.  stop and start the connector for the changes to take effect.   Monitor your logs for further similar errors.

Repeat with SQLISPackage as well.   

Documentation will suggest to only forward such events through like channels. 
But the core maps can be altered to address any unintended missed routes. 
This doesn't suggest that any particular event will actually be parsed, just that it may require alternative routing prior to parsing.   

Also note that core map can be used for custom events not otherwise currently parsed by us.
If you have a unique Windows application you want to parse which ArcSight doesn't yet parse.
Use the core_map to create a  route  to a custom parser you have written.

And of course share that with our Support team so we may consider it for inclusion in a future release.

Hope this helps.   

Any further detail may require a case to be opened.

Kind Regards,

Peter Halton

 

 

 

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.