waydaws Absent Member.
Absent Member.
3133 views

Documentation for creating flexconnectors

Jump to solution

Hi,

Anyone know where I can get documentation on creating flex connectors?  I need to create one for a simple proprietary file, but haven't done any.

Labels (3)
0 Likes
Reply
1 Solution

Accepted Solutions
Highlighted
a2g Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Start with ArcSight's official FlexConnector Developer’s Guide, of course.  It's normally found at ArcSight's Download Center under Smart Connectors Documentation. 

If you need help, circle back to this forum.

A.

View solution in original post

0 Likes
Reply
12 Replies
Highlighted
a2g Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Start with ArcSight's official FlexConnector Developer’s Guide, of course.  It's normally found at ArcSight's Download Center under Smart Connectors Documentation. 

If you need help, circle back to this forum.

A.

View solution in original post

0 Likes
Reply
waydaws Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Thanks, I will look there.

0 Likes
Reply
alexandru.stoch Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Hi Anton,

I'm trying to create an DB flex connector. The audit logs are splitted in 2 tables. The DB admin created for me a view with data from both tables. The problem is that the ActionID, unic in table 1, is multiplied because is referred to many subactions in table 2. So now, in the view, an event is splitted into n lines. Is there a way to take n lines and combine them in one event from the flexconnector? Or is there a way to query both tables to create an event data?

Many thanks,

Alex

0 Likes
Reply
a2g Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Alexandru,

   I've reposted your question and tried answering it on Meta/Answers: http://answers.metanet.io/questions/17/how-to-deal-with-sub-actions-in-event-tables.

Cheers,

A.

0 Likes
Reply
alexandru.stoch Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Hi Anton,

Thank you for your quick response. The data is somehow confidential, but i can create a scenario for you:

We have 2 tables:

          table t1 primary key Custom ID

customID usernameactionagentID
1111company/user1access file                 whatever

          Table t2 primary key customid+step

customIDnamestepmessage
1111Login action0

Login to user1 profile

1111

workspace1workspace user1
1111file access2 file:c:/folder/file1 write
1111file access3file save

View created at this moment, which i can use for the flex connector.

customIDusernameactionagentIDnamestepmessage
1111company/user1access filewhateverLogin action0Login to user1 profile
1111company/user1access filewhateverworkspace1workspace user1
1111company/user1access filewhateverfile access2file:c:/folder/file1 write
1111company/user1access filewhateverfile access3file save

So i need all the info from the view. How can i use it in a ID-based DB flex connector? At this moment the only solution that comes to me is from a DBA. He could create a procedure to make a view with the follow structure:

customIDusernameactionagentIDCustom message
1111company/user1access filewhatever

0    Login action    Login to user1 profile

1    workspace      workspace user1

2    file access      file:c:/folder/file1 write

3    file access      file save

From here i should be able to match it to the arcsight CEF fields. What do you think?

Cheers,

Alex

0 Likes
Reply
gportnoy1
New Member.

Re: Documentation for creating flexconnectors

Jump to solution

Alex,

I've gone down this path once with a product we were trying to integrate and hit a dead end. If there are always the same number of rows in t2 corresponding to an entry in t1 you can try to impliment pivot queries which may work, depending on the data and the experience of the DBA.

Of course the "right" way would be for the flexconnector framework to support running multiple queries out of the same parser. That way you can use the output of one query as an input to another to look up additional information for an event. This isn't officially supported, though I believe something similar is being used by ArcSight for Symantec Endpoint Protection DB agent, I just don't understand how they are achieving it.

One thing you actually can try to do is to build on Anton's suggestion and after you get all of the t2 entries in that custom message field, pass it on to a chained parser that'll take care of parsing that text further. Look into Extra Processors in FlexConn Dev Guide. I believe I also shared a Quest Change Auditor for Exchange parser on this forum that utilizes the same functionality (SQL query passing a field to a regex parser).

Now that I think about it, I wonder if you can link two DB parsers together to achieve what you are trying to do? Let me know if you try it and it works.

0 Likes
Reply
a2g Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Alex,

   In this particular example, I wouldn't bundle the steps in one event and keep them separate.  The reason is that I see 4 different types of activity happening:

1. Successful User Authentication

2. (I'm guessing) Successful User Authorization

3. File Object Access

4. File Object Access or a Configuration Change (depending on what type of file is being accessed)

If steps 1-3 always follow step 0, and you don't necessary care about the data in it, just filter it out.  By clamping all the steps into one description field you're losing the flexibility in management of that data.

0 Likes
Reply
alexandru.stoch Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Hi guys,

Thank you for your attention to this topic. I managed to take the data throw SQL. My example is not very good, the data from t2 is more ambiguous, so i need it in this format.

Many thanks,

alex

0 Likes
Reply
gportnoy1
New Member.

Re: Documentation for creating flexconnectors

Jump to solution

In that case I think you'll be able to link parsers (extraprocessors) to get the details out of that one field.

Good Luck!

0 Likes
Reply
alexandru.stoch Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Hi again,

I have another challenge.

So I have the next file with the following logs:

$/admin
Version: 10
User: User           Date:  2/01/11 Time:  1:38p
name_file.txt added
Comment: teste log acces
$/path_name
Version: 348
User: User         Date: 2.02.11  Time: 10:47a
1.pdf renamed to 2.pdf
$/path_name/name.fmb
Version: 9
User: User1       Date:  2.02.11  Time:  11:57
Checked in
$/path_name/name01.fmb
Version: 8
User: User2      Date:  7-02-11  Time:  15:16
Checked in
As you can see, the date and time have multiple patterns, i think they are user workstation configuration based so is not set from the logging source. Any way i need to parse this file and i think i can do it with submessages. More then that i found that i can only use the default submessage form with multiple patterns because i don't have event id's.
I've attached 2 configs. One is working only for the 3rd event and one is what i tried to do regarding the submessage approach for first event type.
Can you help me please?
Best regards,
alex
0 Likes
Reply
a2g Absent Member.
Absent Member.

Re: Documentation for creating flexconnectors

Jump to solution

Alexandru,

You should really move this question to a new topic.

A.

Sent from my iPad

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.