Highlighted
Contributor.. kq Contributor..
Contributor..
461 views

getting deviceHostName or deviceAddress for DNS multi folder connector

i have a dns_tracelog_multifolder_file connector installed and it is working normally.

i just need a way to get the deviceHostName or deviceAddress added to the event. or at the very the least, the fileshare that the conector is reading.

i dont know why it doesnt come as part of the event.

thanks

Tags (2)
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Re: getting deviceHostName or deviceAddress for DNS multi folder connector

Is deviceHostname currently empty? if not, which value is it currently being filled with? And what are you expecting the deviceHostName to include? That would be the devicehostname of the DNS server correct?

From ESM you can also go to connectors, right click the connector, send command, mapping, get additional data mappings.

Please post the results from that action in the reply as well 🙂

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Contributor.. kq Contributor..
Contributor..

Re: getting deviceHostName or deviceAddress for DNS multi folder connector

the deviceHostName is empty, so is deviceAddress.

the DNS connector reads from multiple servers, each with a file share setup

\\server1.domain.com\dnslogs

\\server2.domain.com\dnslogs

\\server3.domain.com\dnslogs

i want either server1 or server1.domain.com to show in the deviceHostName, to see what server the file was read from.

the logs are only going to Logger, but looking at the raw cef log i dont see any additionaldata fields

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: getting deviceHostName or deviceAddress for DNS multi folder connector

Certain details cannot be seen from raw logs, for example syslog often puts this in the syslog header itself, which is accessible during parsing, but not included in the raw event.

Though i checked the mapping for the MS DNS Multiple server file connector here: https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-DNS-Multiple-Server-File/ta-p/1588032

I do indeed see that most device fields are not mapped at all, so there is nothing wrong with the parsing in theory, most likely because you are fetching the files, so no header is available, and Microsoft does not log the DNS server in the request so there is nowhere to fetch this data from.

Though we still got one option! But i need to know what value is available in "file path" on one of the events, and i will throw something very small together to fix your issue.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: getting deviceHostName or deviceAddress for DNS multi folder connector

Hi,

Adding following lines to agent.properties should be the solution for your request.

(these lines should be added  for each folder - foldertable[1], foldertable[2] etc.)

agents[0].foldertable[0].extractfieldnames=deviceHostName
agents[0].foldertable[0].extractregex=\\\\\\\\([^\\\\]+).*
agents[0].foldertable[0].extractsource=File Path
agents[0].foldertable[0].usefieldextractor=true

 

Kind regards.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.