Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Frequent Contributor.. prasada@rba.gov Frequent Contributor..
Frequent Contributor..
295 views

end / endTime Field Missing From Forwarding Connector

I've noticed that when using the Forwarding Connector from ESM to CEF Syslog, the output is definitely CEF, but is missing the field:

end=

How can I get the endTime in the output of the Forwarding Connector?

Cheers,

Ash

Labels (2)
0 Likes
2 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: end / endTime Field Missing From Forwarding Connector

The bigger question is around the original log messages though, this might be a valid situation where the log message itself has no timestamp, endTime or is of an event type that uses startTime or something - can you fill in any background on this? What is the log source, what are the original messages and can you confirm that there is a timestamp in them?

Also, can you provide an example of the output? The CEF file itself? What about the events themselves that are being forwarded, can you provide samples of these too?

0 Likes
Frequent Contributor.. prasada@rba.gov Frequent Contributor..
Frequent Contributor..

Re: end / endTime Field Missing From Forwarding Connector

Regardless of the original source of the event, ESM assigns an endTime field.

For example:

CEF:0|CISCO|ASA||305012|Teardown dynamic UDP translation|Low| eventId=56267798506 mrt=1484097686471 proto=UDP categorySignificance=/Informational categoryBehavior=/Access/Stop categoryDeviceGroup=/Firewall catdt=Firewall categoryOutcome=/Success categoryObject=/Host/Application/Service modelConfidence=0 severity=4 relevance=10 assetCriticality=0 priority=4 art=1484096108163 deviceSeverity=6 rt=1484096094000 src=111.222.222.555 sourceZoneID=MqtK3GDYBABCadQ565CqXiQ\=\= sourceZoneURI=/All Zones/GTR/GTR/GTR/GTR sourceTranslatedAddress=222.111.111.111 sourceTranslatedZoneID=M84KKBTYDFBCFwwLq3OcpBQ\=\= sourceTranslatedZoneURI=/All Zones/GTR/GTR Internet Primary spt=6260 sourceTranslatedPort=6260 cs5=dynamic cs6=0:00:00 c6a4=ffff:0:0:0:222:5555:ffff:5555 locality=1 cs1Label=ACL cs2Label=Unit cs3Label=TCP Flags cs4Label=Order cs5Label=Connection Type cs6Label=Duration cn1Label=ICMP Type cn2Label=ICMP Code cn3Label=DurationInSeconds c6a4Label=Agent IPv6 Address ahost=host.gtr.gtr agt=100.222.333.55 av=7.1.7.7602.0 atz=LA/la aid=3p9IZi1kBABCq5RFPFdJWYUw\=\= at=superagent_ng dvchost=myhost dvc=111.111.111.99 deviceZoneID=M-fU32AABABGVdfFpYAT3UdQ\=\= deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 deviceAssetId=4Wa8hHVSDFBCc-t56wI7mTw\=\= dtz=LA/LA deviceInboundInterface=myint deviceOutboundInterface=myint2 eventAnnotationStageUpdateTime=1484097686472 eventAnnotationModificationTime=1484097686472 eventAnnotationAuditTrail=1,1484012146095,root,Queued,,,,\n eventAnnotationVersion=1 eventAnnotationFlags=0 eventAnnotationEndTime=1484096094000 eventAnnotationManagerReceiptTime=1484097686471 originalAgentHostName=host originalAgentAddress=111.111.88.111 originalAgentZoneURI=/All Zones/GR/GR/GR originalAgentVersion=7.3.0.7886.0 originalAgentId=3q0sfHVcBABCcSDFvMpvc1w\=\= originalAgentType=syslog_file _cefVer=0.1 ad.arcSightEventPath=3q0sfHVcBABCcMZVvMSDFc1w\=\=

If that CEF message went into ESM, then the endTime is given and can be seen in ESM console. I'm not sure which field it uses as the endTime but it doesn't matter to me.

However, when I use the Forwarding Connector to pull events out of ESM, I want the endTime field to be outputted based on the endTime the ESM manager previously assigned ... is this possible? If not, what is the logic/algorithm around endTime calculation?

Scenario: pull events out of ESM for offline storage for retrieval many years later. Keeping the logs in plaintext CEF files means restoration can happen even if ArcSight ESM is no longer around. Without the endTime or way to calculate the original endTime of the event (approx), then storing in this way is a bit limited.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.