Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
sanhyongt1 Absent Member.
Absent Member.
353 views

Change of time to reflect local time + IPv6 address field

Jump to solution

Hi All,

I am new to this and am attempting a ID-based flex connector for McAfee ePO User Audit log and will kindly need some help.

As you know, ePO stores time in UTC format.

1) With reference to https://protect724.arcsight.com/message/7061#7061,

Change Connector Time to UTC format.


In Override Parser, include the following:

event.deviceCustomNumber1=ReceivedTime
event.deviceCustomNumber1Label=__stringConstant(Received Time (UTC) - Raw)


event.deviceCustomNumber2=GeneratedTime
event.deviceCustomNumber2Label=__stringConstant(Generated Time (UTC) - Raw)

a)  Can anyone help explain the logic of the parameters involved in the override parser? eg. Where do you get the Raw value?

b)  It will be best that the Connector Time Zone does not need to be changed to UTC, are there any other alternatives?

2) There is always a field value in the SQL table that will contain either a IPv4 or IPv6 address. Can I apply any form of conditional mapping like if field value contains IPv4 address, it will be mapped to Logger Field: SourceAddress, else to custom Logger Field: flexString1?

Thanks.

0 Likes
Reply
1 Solution

Accepted Solutions
jring1 Trusted Contributor.
Trusted Contributor.

Re: Change of time to reflect local time + IPv6 address field

Jump to solution

Hi,

1) The override parser shown is not a complete parser but just a bit of debugging code which puts the raw time values from the EPO DB into deviceCustomNumber1 and 2 fields. It will not fix the tz problem in the current form. Also without the rest of the parser (which we don't have, since it's obfuscated). It will be harder to understand.

The raw values ReceivedTime and GeneratedTime are from the rest of the parser and are probably just some DB columns.

One could try to sth along the following lines:

- Use the override as shown and try to figure out the time format used by converting/comparing the values in deviceCustomNumber1 and 2 with the End time.

- If the End Time shows to be wrong... one could use the __createLocalTimeStamp class of functions to write an override which fixes this. For example if GeneratedTime aka deviceCustomNumber2 had turned out to be the End Time in seconds from the epoch (unix time format), the following might fix it:

event.endTime=__createLocalTimeStampFromSecondsSinceEpoch(GeneratedTime)

2) Just assign both fields with the appropriate functions - if none matches, both fields will be empty:

event.source.Address=__oneOfAddress(string_variable_which_contains_src_ipv4_or_ipv6)

event.deviceCustomIPv6Address1=__stringToIPv6Address(string_variable_which_contains_src_ipv4_or_ipv6)

event.deviceCustomIPv6Address1Label=__stringConstant(SrcIPv6)


The latter shamelessly stolen from: https://protect724.arcsight.com/message/35095#35095

Unfortunately the IPv6 functions are not yet documented in the Flex Connector Dev Guide https://protect724.arcsight.com/docs/DOC-2280

Joachim


View solution in original post

0 Likes
Reply
3 Replies
jring1 Trusted Contributor.
Trusted Contributor.

Re: Change of time to reflect local time + IPv6 address field

Jump to solution

Hi,

1) The override parser shown is not a complete parser but just a bit of debugging code which puts the raw time values from the EPO DB into deviceCustomNumber1 and 2 fields. It will not fix the tz problem in the current form. Also without the rest of the parser (which we don't have, since it's obfuscated). It will be harder to understand.

The raw values ReceivedTime and GeneratedTime are from the rest of the parser and are probably just some DB columns.

One could try to sth along the following lines:

- Use the override as shown and try to figure out the time format used by converting/comparing the values in deviceCustomNumber1 and 2 with the End time.

- If the End Time shows to be wrong... one could use the __createLocalTimeStamp class of functions to write an override which fixes this. For example if GeneratedTime aka deviceCustomNumber2 had turned out to be the End Time in seconds from the epoch (unix time format), the following might fix it:

event.endTime=__createLocalTimeStampFromSecondsSinceEpoch(GeneratedTime)

2) Just assign both fields with the appropriate functions - if none matches, both fields will be empty:

event.source.Address=__oneOfAddress(string_variable_which_contains_src_ipv4_or_ipv6)

event.deviceCustomIPv6Address1=__stringToIPv6Address(string_variable_which_contains_src_ipv4_or_ipv6)

event.deviceCustomIPv6Address1Label=__stringConstant(SrcIPv6)


The latter shamelessly stolen from: https://protect724.arcsight.com/message/35095#35095

Unfortunately the IPv6 functions are not yet documented in the Flex Connector Dev Guide https://protect724.arcsight.com/docs/DOC-2280

Joachim


View solution in original post

0 Likes
Reply
sanhyongt1 Absent Member.
Absent Member.

Re: Change of time to reflect local time + IPv6 address field

Jump to solution

Thanks Joachim for your help and explanation.

1) Another way that I thought of in dealing with the timing offset is deal with it at the SQL query portion instead.

eg DATEADD(ms,28800000,DLP_EventView.UTCTime)

2) Apparently, it is indeed true that Logger does not have IPv6* fields yet which ESM already has. All I could do is map the IPv6 address under a Custom String field.

0 Likes
Reply
jring1 Trusted Contributor.
Trusted Contributor.

Re: Change of time to reflect local time + IPv6 address field

Jump to solution

If you have the full source to the parser, doing this at SQL Level is ok too. I didn't know you had the parser for the ePO Connector.

Joachim

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.