Highlighted
Absent Member.
Absent Member.
257 views

[FlexConnector]-CEF Format Data

Hi everyone,

Would it be possible to build FlexConnector on top of CEF enabled format data?  There is a particular field I would like to further breakdown using FlexConnector rather than doing it in ESM, it would make the rule make more difficult and resource intensive.

Thanks

Roy

Labels (3)
0 Likes
Reply
3 Replies
Highlighted
New Member.

Re: [FlexConnector]-CEF Format Data

I think your device doesn't use CEF properly. Each individual information should go to individual fields and if there is no standard field for it, it should put the value in the "deviceCustomX" fields.

Anyway, I don't think you can do that at the connector level but probably design global variables which could do the work for you in Arcsight content.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: [FlexConnector]-CEF Format Data

Hi vip,

I do agree with you regarding to the device, unfortunately, not much I can do about it.  However, I prefer to do achieve it on Connector level if possible to minimize the loading on the ESM, as there is a bit of work before ESM can extract these information from the events, not to mention it is difficult to extract it...

Thanks

Roy

0 Likes
Reply
Highlighted
New Member.

Re: [FlexConnector]-CEF Format Data

You can rewrite your own CEF parser rather easily, by composing two chained connectors (aka "extra-processors") :

1) A CSV-like (called logfile) flexconnector with separating character being "|"

2) A keyvalue flexconnector

3) When you're done with your basic CEF connector, just chain another extra-processor to be able to parse your specific field

For an example of chained flexconnectors, you can have a look at my parser

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.