Hi Mike,

strane that no one replied to your message so far. If you have log files in CSV, then you are big step toward the resolution of your issue. You need to prepare flex connector and parse these CSV files on the source system itself. If that proxy is Linux or Windows, no problem with installing ArcSight connector, and develope flex connector (regex or whatever).

For more info on flex connectors, look for FlexConnectorDevConfig.pdf document, somewhere on Arcsight's documentation web site.

Milan

I didn't see your original post, but thanks to Milan's follow-up I saw it re-surface.

Flex connectors for a CSV are actually about as easy as it gets since  you don't have to use regex to capture the tokens. I've got one or two  CSV flex connectors, and you just need to define the comma as a  delimiter, quotation marks as the text qualifier, and define the number  of tokens that need to be captured. It also helps to trim empty tokens  (removing leading and hanging white space) and let the parser know  whether any of the tokens might ever be empty.

Start  with something like this:

delimiter=,
text.qualifier="
comments.start.with=\#
trim.tokens=true
contains.empty.tokens=true

token.count=8

Hello,

But which exactly FlexAgent do you use? I've installed ArcSight FlexConnector File but somehow it does not extract the events into Manager. P.S. Seems like the .sdkfilereader.properties file configuration is fine.

Thx,

Gintautas

Hi Gintautas,

sorry for late reply, but I was bussy. You should use Log File Flex Connector type (well documented in Flex Connector Developers Guide). If you can post more details about your flex connector, maybe someone can help.

Milan

problem solved in that we are having to get the logs and transform them via some code for another process... I am now outputting it into CEF format and feeding into a CEF file connector.