Highlighted
Absent Member.
Absent Member.
2210 views

Cyber-Ark Integration Issue

Hi,

We are trying to integrate Cyber-Ark Vault logs to Arcsight but express can not parse logs properly. Device Vendor seems as "Symantec" and Device product as "Mail Security Appliance"

---NAME SECTION IN THE PARSED LOG---

CEF: 0|Cyber-Ark|Vault|7.10.0060|236|Backup Metadata|5|act=Backup Metadata duser=DR fname= src=10.20.30.40 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cs6Label="Gateway Address" cs6= cn1Label="Request Id" cn1= msg=, , Backup Metadata

---NAME SECTION IN THE PARSED LOG\---

---MESSAGE SECTION IN THE PARSED LOG---

7.10.0060|236|Backup Metadata|5|act=Backup Metadata duser=DR fname= src=10.20.30.40 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cs6Label="Gateway Address" cs6= cn1Label="Request Id" cn1= msg=, , Backup Metadata

---MESSAGE SECTION IN THE PARSED LOG\---

--RAW LOG--

Sep  7 12:02:54 SERVERNAME CEF: 0|Cyber-Ark|Vault|7.10.0060|236|Backup Metadata|5|act=Backup Metadata duser=DR fname= src=10.20.30.40 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cs6Label="Gateway Address" cs6= cn1Label="Request Id" cn1= msg=, , Backup Metadata

---RAW LOG\---

---SYSLOG CONFIGURATION IN CYBER-ARK DBPARM.INI FILE---

[SYSLOG]

SyslogTranslatorFile=C:\Program Files (x86)\PrivateArk\Server\Arcsight.xsl

SyslogServerPort=514

SyslogServerIP=10.10.10.10

SyslogServerProtocol=UDP

SyslogMessageCodeFilter=0-999

SyslogSendBOMPrefix=NO

UseLegacySyslogFormat=yes

---SYSLOG CONFIGURATION OF CYBER-ARK DBPARM.INI FILE/---

---XSL CONFIGURATION IN ARSIGHT.XSL FILE AT CYBER-ARK SERVER--

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:import href='./Syslog/RFC5424Changes.xsl'/>
<xsl:output method='text' version='1.0' encoding='UTF-8'/>
<xsl:template match="/">
   <xsl:apply-imports />
      <xsl:for-each select="syslog/audit_record">CEF:0|<xsl:value-of select="Vendor"/>|<xsl:value-of select="Product"/>|<xsl:value-of select="Version"/>|<xsl:value-of select="MessageID"/>|<xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose><xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Desc"/>
  </xsl:call-template>|<xsl:choose><xsl:when test="Severity='Critical'">10</xsl:when><xsl:when test="Severity='Error'">7</xsl:when><xsl:when test="Severity='Info'">5</xsl:when><xsl:otherwise>0</xsl:otherwise></xsl:choose><!--xsl:value-of select="Severity"/-->|act=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Action"/>
  </xsl:call-template> duser=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Issuer"/>
  </xsl:call-template> fname=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="File"/>
  </xsl:call-template> src=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Station"/>
  </xsl:call-template> cs1Label="Affected User Name" cs1=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="SourceUser"/>
  </xsl:call-template> cs2Label="Safe Name" cs2=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Safe"/>
  </xsl:call-template> cs3Label="Location" cs3=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Location"/>
  </xsl:call-template> cs4Label="Property Name" cs4=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Category"/>
  </xsl:call-template> cs5Label="Target User Name" cs5=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="TargetUser"/> 
  </xsl:call-template> cs6Label="Gateway Address" cs6=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="GatewayStation"/>  
  </xsl:call-template> cn1Label="Request Id" cn1=<xsl:value-of select="RequestId"/> msg=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Reason"/>
  </xsl:call-template>, <xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="ExtraDetails"/>
  </xsl:call-template>, <xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose><xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Message"/>
  </xsl:call-template></xsl:for-each>
</xsl:template>

<!-- replace all occurences of the character(s) `from'
     by the string `to' in the string `string'.-->
<xsl:template name="string-replace" >
  <xsl:param name="string"/>
  <xsl:param name="from"/>
  <xsl:param name="to"/>
  <xsl:choose>
    <xsl:when test="contains($string,$from)">
      <xsl:value-of select="substring-before($string,$from)"/>
      <xsl:value-of select="$to"/>
      <xsl:call-template name="string-replace">
      <xsl:with-param name="string" select="substring-after($string,$from)"/>
      <xsl:with-param name="from" select="$from"/>
      <xsl:with-param name="to" select="$to"/>
      </xsl:call-template>
    </xsl:when>
    <xsl:otherwise>
      <xsl:value-of select="$string"/>
    </xsl:otherwise>
  </xsl:choose>
</xsl:template>

</xsl:stylesheet>

---XSL CONFIGURATION IN ARSIGHT.XSL FILE AT CYBER-ARK SERVER\--

Labels (1)
0 Likes
Reply
11 Replies
Highlighted
Super Contributor.
Super Contributor.

Hiya,

Wondering if you have managed to get this issue resolved by any chance ?

Best Regards.

0 Likes
Reply
Highlighted
Respected Contributor.
Respected Contributor.

Hello Asuri,

Do you have the same issue? if so, how is your setup? Do you receive the cyber-ark logs through an syslog pipe?

The problem in the original question is most likely caused by a space between CEF: and the 0. This causes the parser to not see it as an CEF event. We have seen this happen when we used rsyslog to receive the events and a pipe to pass it through to the Arcsight syslog agent. We solved this to send the events with a different format in rsyslog through the pipe to the ArcSight agent.

Regards,

Richard

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Yes we have solved this issue with same solution, thanks

iPhone'umdan gönderildi

18 Ağu 2014 tarihinde 16:57 saatinde, "vandaag" <p724-reply@arcsightprotect724-v7.hosted.jivesoftware.com<mailto:p724-reply@arcsightprotect724-v7.hosted.jivesoftware.com>> şunları yazdı:

Protect 724<https://protect724.hp.com/>

Cyber-Ark Integration Issue

reply from vandaag<https://protect724.hp.com/people/vandaag?et=watches.email.thread> in Interact - View the full discussion<https://protect724.hp.com/message/48267?et=watches.email.thread#48267>

0 Likes
Reply
Highlighted
Visitor.

Hello,

We are also having some issues with CyberArk logs. In our setup, syslog-ng collects the logs and forwards to a pipe, and arcsight connector is reading from that pipe. But syslog-ng interprets multiple messages as one message. Could any of you please explain the syslog-ng method to resolve this?

Thank you,

Sareesh

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi,

First , please check dbparm.ini file located at YourVaultServer/Program Files(x86)/PrivateArk/Server contains below.

[SYSLOG]

SyslogTranslatorFile=C:\Program Files (x86)\PrivateArk\Server\Arcsight.xsl

SyslogServerPort=514

SyslogServerIP=10.X.X.X

SyslogServerProtocol=UDP

SyslogMessageCodeFilter=0-999

SyslogSendBOMPrefix=NO

And our Arcsight.xsl content is (key point may be blank character before CEF:0| )

<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:import href='./Syslog/RFC5424Changes.xsl'/>
<xsl:output method='text' version='1.0' encoding='UTF-8'/>
<xsl:template match="/">
   <xsl:apply-imports />
      <xsl:for-each select="syslog/audit_record"> CEF:0|<xsl:value-of select="Vendor"/>|<xsl:value-of select="Product"/>|<xsl:value-of select="Version"/>|<xsl:value-of select="MessageID"/>|<xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose><xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Desc"/>
  </xsl:call-template>|<xsl:choose><xsl:when test="Severity='Critical'">10</xsl:when><xsl:when test="Severity='Error'">7</xsl:when><xsl:when test="Severity='Info'">5</xsl:when><xsl:otherwise>0</xsl:otherwise></xsl:choose><!--xsl:value-of select="Severity"/-->|act=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Action"/>
  </xsl:call-template> duser=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Issuer"/>
  </xsl:call-template> fname=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="File"/>
  </xsl:call-template> src=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Station"/>
  </xsl:call-template> cs1Label="Affected User Name" cs1=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="SourceUser"/>
  </xsl:call-template> cs2Label="Safe Name" cs2=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Safe"/>
  </xsl:call-template> cs3Label="Location" cs3=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Location"/>
  </xsl:call-template> cs4Label="Property Name" cs4=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Category"/>
  </xsl:call-template> cs5Label="Target User Name" cs5=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="TargetUser"/> 
  </xsl:call-template> cs6Label="Gateway Address" cs6=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="GatewayStation"/>  
  </xsl:call-template> cn1Label="Request Id" cn1=<xsl:value-of select="RequestId"/> msg=<xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Reason"/>
  </xsl:call-template>, <xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="ExtraDetails"/>
  </xsl:call-template>, <xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose><xsl:call-template name="string-replace">
    <xsl:with-param name="from" select="'='"/>
    <xsl:with-param name="to" select="'\='"/>
    <xsl:with-param name="string" select="Message"/>
  </xsl:call-template></xsl:for-each>
</xsl:template>

<!-- replace all occurences of the character(s) `from'
     by the string `to' in the string `string'.-->
<xsl:template name="string-replace" >
  <xsl:param name="string"/>
  <xsl:param name="from"/>
  <xsl:param name="to"/>
  <xsl:choose>
    <xsl:when test="contains($string,$from)">
      <xsl:value-of select="substring-before($string,$from)"/>
      <xsl:value-of select="$to"/>
      <xsl:call-template name="string-replace">
      <xsl:with-param name="string" select="substring-after($string,$from)"/>
      <xsl:with-param name="from" select="$from"/>
      <xsl:with-param name="to" select="$to"/>
      </xsl:call-template>
    </xsl:when>
    <xsl:otherwise>
      <xsl:value-of select="$string"/>
    </xsl:otherwise>
  </xsl:choose>
</xsl:template>

</xsl:stylesheet>

0 Likes
Reply
Highlighted
Visitor.

Thanks @Kutluhan, I will check and let you know. Regards, Sareesh

0 Likes
Reply
Highlighted
Visitor.

Hi Kutluhan,

Please find below Arcsight.xsl file, seems to be fine.

<?xml version="1.0"?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:import href='./Syslog/RFC5424Changes.xsl'/>

    <xsl:output method='text' version='1.0' encoding='UTF-8'/>

   

    <xsl:template match="/">

   <xsl:apply-imports />

        <xsl:for-each select="syslog/audit_record">CEF:0|<xsl:value-of select="Vendor"/>|<xsl:value-of select="Product"/>|<xsl:value-of select="Version"/>|<xsl:value-of select="MessageID"/>|<xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose><xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Desc"/>

        </xsl:call-template>|<xsl:choose><xsl:when test="Severity='Critical'">10</xsl:when><xsl:when test="Severity='Error'">7</xsl:when><xsl:when test="Severity='Info'">5</xsl:when><xsl:otherwise>0</xsl:otherwise></xsl:choose><!--xsl:value-of select="Severity"/-->|act=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Action"/>

        </xsl:call-template> suser=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Issuer"/>

        </xsl:call-template> fname=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="File"/>

        </xsl:call-template> dvc=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="GatewayStation"/>

        </xsl:call-template> shost=<xsl:choose>

            <!--xsl:If its PSM Connect and Disconnect event we will show SrcHost value

                otherwise we will show station value"/-->

            <xsl:when test="MessageID=300 or MessageID=301 or MessageID=302 or MessageID=303"><xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'SrcHost='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

            </xsl:call-template></xsl:when>

            <xsl:otherwise><xsl:call-template name="string-replace">

                <xsl:with-param name="from" select="'='"/>

                <xsl:with-param name="to" select="'\='"/>

                <xsl:with-param name="string" select="Station"/>

            </xsl:call-template></xsl:otherwise>

        </xsl:choose> dhost=<xsl:choose>

            <!--xsl:If its PSM Connect and Disconnect event we will show DstHost value/-->

            <xsl:when test="MessageID=300 or MessageID=301 or MessageID=302 or MessageID=303"><xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'DstHost='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

            </xsl:call-template></xsl:when>

            <!--xsl:For transparent connection event we will show RemotheMachine value

                from the PVWA XML/-->

            <xsl:when test="MessageID=295 and PvwaDetails/RequestReason/ConnectionDetails/RemoteMachine!=''"><xsl:call-template name="string-replace">

                <xsl:with-param name="from" select="'='"/>

                <xsl:with-param name="to" select="'\='"/>

                <xsl:with-param name="string" select="PvwaDetails/RequestReason/ConnectionDetails/RemoteMachine"/>

            </xsl:call-template></xsl:when>

            <!--xsl:Check if extra details is not empty is so extract the dsthost value from it/-->

                <xsl:when test="ExtraDetails!=''"><xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'DstHost='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

                </xsl:call-template></xsl:when>

            <!--xsl:Otherwise we will show Address value from the file categories/-->

            <xsl:otherwise><xsl:for-each select="CAProperties/CAProperty"><xsl:if test="@Name='Address'"><xsl:call-template name="string-replace">

                    <xsl:with-param name="from" select="'='"/>

                    <xsl:with-param name="to" select="'/='"/>

                    <xsl:with-param name="string" select="@Value"/></xsl:call-template></xsl:if></xsl:for-each>

            </xsl:otherwise>

        </xsl:choose> duser=<xsl:choose>

            <!--xsl:If its PSM Connect and Disconnect event we will show User value/-->

            <xsl:when test="MessageID=300 or MessageID=301 or MessageID=302 or MessageID=303"><xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'User='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

                <!--xsl:If it not PSM we check if the Target user field is not empty if so we show his value/-->

            </xsl:call-template></xsl:when><xsl:when test="TargetUser != ''">

                <xsl:call-template name="string-replace">

                    <xsl:with-param name="from" select="'='"/>

                    <xsl:with-param name="to" select="'\='"/>

                    <xsl:with-param name="string" select="TargetUser"/></xsl:call-template></xsl:when>

            <!--xsl:Otherwise we show  the username value from the file categories/-->

            <xsl:otherwise><xsl:for-each select="CAProperties/CAProperty"><xsl:if test="@Name='UserName'"><xsl:call-template name="string-replace">

                <xsl:with-param name="from" select="'='"/>

                <xsl:with-param name="to" select="'/='"/>

                <xsl:with-param name="string" select="@Value"/></xsl:call-template></xsl:if></xsl:for-each>

            </xsl:otherwise></xsl:choose> externalId=<xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'SessionID='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

            </xsl:call-template> app=<xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'Protocol='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

            </xsl:call-template> reason=<xsl:call-template name="string-GetValue">

                <xsl:with-param name="from" select="'Command='"/>

                <xsl:with-param name="to" select="';'"/>

                <xsl:with-param name="string" select="ExtraDetails"/>

            </xsl:call-template> cs1Label="Affected User Name" cs1=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="SourceUser"/>

        </xsl:call-template> cs2Label="Safe Name" cs2=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Safe"/>

        </xsl:call-template> cs3Label="Device Type" cs3=<xsl:for-each select="CAProperties/CAProperty"><xsl:if test="@Name='DeviceType'"><xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'/='"/>

            <xsl:with-param name="string" select="@Value"/>

        </xsl:call-template></xsl:if></xsl:for-each> cs4Label="Database" cs4=<xsl:call-template name="string-GetValue">

            <xsl:with-param name="from" select="'DataBase='"/>

            <xsl:with-param name="to" select="';'"/>

            <xsl:with-param name="string" select="ExtraDetails"/>

        </xsl:call-template> cs5Label="Other info" cs5=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Location"/>  

        </xsl:call-template> <xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Category"/>  

        </xsl:call-template> <xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="GatewayStation"/>  

        </xsl:call-template> cn1Label="Request Id" cn1=<xsl:value-of select="RequestId"/> cn2Label="Ticket Id" cn2=<xsl:value-of select="Reason"/>  msg=<xsl:call-template name="string-replace">

            <xsl:with-param name="from" select="'='"/>

            <xsl:with-param name="to" select="'\='"/>

            <xsl:with-param name="string" select="Reason"/>

        </xsl:call-template> <xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose>

      </xsl:for-each>

    </xsl:template>

   

    <!-- Gets the Value of a member from a long string

           from - the name of the member(pre)

           to - this represents the end of the value(post)

           its also calls the string-replace and replace the = with /=

           Parsing needed for Arcsight.-->

    <xsl:template name="string-GetValue" >

        <xsl:param name="string"/>

        <xsl:param name="from"/>

        <xsl:param name="to"/>

        <xsl:choose>

            <xsl:when test="contains($string,$from)">

                <xsl:call-template name="string-replace">

                    <xsl:with-param name="string" select="substring-before(substring-after($string,$from),$to)"/>

                    <xsl:with-param name="from" select="'='"/>

                    <xsl:with-param name="to" select="'/='"/>

                </xsl:call-template>

            </xsl:when>

        </xsl:choose>

    </xsl:template>

   

    <!-- replace all occurences of the character(s) `from'

     by the string `to' in the string `string'.-->

    <xsl:template name="string-replace" >

        <xsl:param name="string"/>

        <xsl:param name="from"/>

        <xsl:param name="to"/>

        <xsl:choose>

            <xsl:when test="contains($string,$from)">

                <xsl:value-of select="substring-before($string,$from)"/>

                <xsl:value-of select="$to"/>

                <xsl:call-template name="string-replace">

                    <xsl:with-param name="string" select="substring-after($string,$from)"/>

                    <xsl:with-param name="from" select="$from"/>

                    <xsl:with-param name="to" select="$to"/>

                </xsl:call-template>

            </xsl:when>

            <xsl:otherwise>

                <xsl:value-of select="$string"/>

            </xsl:otherwise>

        </xsl:choose>

    </xsl:template>

   

</xsl:stylesheet>

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

First Try inserting space character before the "CEF:0|<xsl:value-of select" like below in your xls file.

<xsl:for-each select="syslog/audit_record"> CEF:0|<xsl:value-of select="Vendor"/>|<xsl:value-of select="Product"/>|<xsl:value-of select="Version"/>|<xsl:value-of select="MessageID"/>|<xsl:choose><xsl:when test="Severity='Critical' or Severity='Error'">Failure: </xsl:when></xsl:choose><xsl:call-template name="string-replace">

If it does not solve the problem, change xls file with I sent.

0 Likes
Reply
Highlighted
Visitor.

The parsing problem got solved after switching it to UDP. We were using TCP and syslog-ng was replacing newline character with a space. Thanks for the support.

Regards,

Sareesh

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Anytime,  you welcome.

I am glad to hear that the problem has been solved.

0 Likes
Reply
Highlighted
Contributor.
Contributor.

Any one actually got it working using TCP protocol on sending Cyber Ark Events?  UDP is working, but TCP is not for me. When sending with TCP, the events got cut off in the middle, and the portion of the event which go cut off added to the beginning of the next event, as the result it messes up the format of the event and SmartConnector not able parse it correctly.  Any one have the same issue or got TCP working?  Need Help, appreciate it.

Regards,

Dennis

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.