Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
Highlighted
shshm Absent Member.
Absent Member.
1043 views

HP ArcSight Vontu Syslog SmartConnector Localization problem

Hi, I am not from english speaking country so some companies uses local language during configuring Symantec Data Loss Prevention(DLP) System. And i have got some problems in localization messages from Symantec Data Loss Prevention(DLP) to HP ArcSight Vontu Syslog. Messages comes in CP1252(i knew it by using netcat programm).

I read the following topic: Syslog Deamon Connector Malformed Input Exception ( https://protect724.arcsight.com/message/12917#12917 )

And i done following configurations:

1) connectors.bat:

@echo off
setlocal

:: This script assumes that the working directory is set to
:: ARCSIGHT_HOME and that there is a valid Java VM installation
:: at JAVA_HOME.

:: Say hello.
echo ArcSight Connectors starting...
echo.

:: Set the Component
set ARCSIGHT_COMPONENT=agent

set ARCSIGHT_JVM_OPTIONS= -server -XX:MaxNewSize=128m -verbose:gc -Djava.security.policy="%ARCSIGHT_HOME%\config\agent\agent.policy" %ARCSIGHT_MEM_OPTIONS% -Dfile.encoding=CP1252 -Duser.language=ru -Duser.region=RU

:restart

:: Set the VM parameters.
set ARCSIGHT_JVM_OPTIONS= -server -verbose:gc -Djava.security.policy="%ARCSIGHT_HOME%\config\agent\agent.policy"

:: Check if we have custom memory settings
if exist "%ARCSIGHT_HOME%\user\agent\setmem.bat" goto custommem
    set ARCSIGHT_MEM_OPTIONS= -XX:MaxNewSize=128m -Xms256m -Xmx256m
    goto setalloptions
:custommem
    call "%ARCSIGHT_HOME%\user\agent\setmem.bat"

:setalloptions
set ARCSIGHT_JVM_OPTIONS= -server -verbose:gc -Djava.security.policy="%ARCSIGHT_HOME%\config\agent\agent.policy" %ARCSIGHT_MEM_OPTIONS%

:: Set the main class.
set ARCSIGHT_MAIN_CLASS=com.arcsight.agent.loadable._Agent

:: Execute the Java VM.
call "%ARCSIGHT_HOME%\bin\scripts\execjava.bat" %*

:: Error level 123 indicates that the agents want to be restarted.
if errorlevel 123 goto restart

:end

endlocal

2) agent.wrapper.conf:

#********************************************************************

# ArcSight Wrapper parameters

#********************************************************************

set ARCSIGHT_JVM_OPTIONS= -server -XX:MaxNewSize=128m -verbose:gc -Djava.security.policy="%ARCSIGHT_HOME%\config\agent\agent.policy" %ARCSIGHT_MEM_OPTIONS% -Dfile.encoding=CP1252 -Duser.language=ru -Duser.region=RU

 

# Java Application (this parameter is now written programatically)

# wrapper.java.command=../../../jre/bin/java

# Java Main class

wrapper.java.mainclass=com.arcsight.agent.loadable._WrapperLauncher

# Java Classpath (include wrapper.jar) Add class path elements as needed starting from 1

wrapper.java.classpath.1=../../../build/classes

wrapper.java.classpath.2=../../../lib/agent/arcsightagents.jar

wrapper.java.classpath.3=../../../user/agent/lib/*

wrapper.java.classpath.4=../../../lib/agent/tomcat/*

wrapper.java.classpath.5=../../../lib/agent/axis/all-axis-libs.jar

wrapper.java.classpath.6=../../../lib/agent/agentframeworklib.jar

wrapper.java.classpath.7=../../../lib/agent/*

wrapper.java.classpath.8=../../../i18n/common

wrapper.java.classpath.9=../../../i18n/agent

# Java Library Path (location of wrapper.lib)

wrapper.java.library.path.1=../../../bin/wrapper/win32

wrapper.java.library.path.2=../../../lib/win32

# Java Additional Parameters (additional parameters will now be written programatically)

# wrapper.java.additional.1=

# Initial Java Heap Size (in MB)

wrapper.java.initmemory=256

# Maximum Java Heap Size (in MB)

wrapper.java.maxmemory=256

# Port which the native wrapper code will attempt to connect to

wrapper.port=1777

# Number of seconds to allow for the JVM to be launched and contact the wrapper before the

# wrapper should assume that the JVM is hung and terminate the JVM process. 0 means never

# time out. Defaults to 30 seconds.

wrapper.startup.timeout=60

# Number of seconds to allow between the wrapper pinging the JVM and the response. 0 means

# never time out. Defaults to 300 seconds.

wrapper.ping.timeout=300

# Make sure the wrapper does not time out while shutting down agents

wrapper.jvm_exit.timeout=0

wrapper.shutdown.timeout=0

# The Wrapper detects when an application calls System.exit() and treats this as a request

# to stop the server by default.

wrapper.disable_shutdown_hook=true

#********************************************************************

# Wrapper Logging parameters

#********************************************************************

# Format of output for the console. (See docs for formats)

wrapper.console.format=PM

# Log Level for console output. (See docs for log levels)

wrapper.console.loglevel=INFO

# Log file to use for wrapper output logging.

wrapper.logfile=../../../logs/agent.out.wrapper.log

# Format of output for the log file. (See docs for formats)

wrapper.logfile.format=LPTM

# Log Level for console output. (See docs for log levels)

wrapper.logfile.loglevel=INFO

# Maximum size that the log file will be allowed to grow to before the log is rolled.

# Size is specified in bytes. The default value of 0, disables log rolling. May

# abreviate with the 'k' (kb) or 'm' (mb) suffix. For example: 10m = 10 megabytes.

wrapper.logfile.maxsize=10m

# Maximum number of rolled log files which will be allowed before old files are deleted.

# The default value of 0 implies no limit.

wrapper.logfile.maxfiles=10

# Log Level for sys/event log output. (See docs for log levels)

wrapper.syslog.loglevel=NONE

#********************************************************************

# Wrapper Unix daemon parameters

#********************************************************************

# File to write process ID to

# wrapper.pidfile=/var/run/arcagent.pid

#********************************************************************

# Wrapper NT Service parameters

#********************************************************************

# WARNING - Do not modify any of these parameters when an application

# using this configuration file has been installed as a service.

# Please uninstall the service before modifying this section. The

# service can then be reinstalled.

# Name of the service

wrapper.ntservice.name=ArcSight SmartAgent

# Display name of the service

wrapper.ntservice.displayname=ArcSight SmartAgent

# Description of the service

wrapper.ntservice.description=The ArcSight SmartAgent

# Service dependencies. Add dependencies as needed starting from 1

wrapper.ntservice.dependency.1=

# Mode in which the service is installed. AUTO_START or DEMAND_START

wrapper.ntservice.starttype=AUTO_START

wrapper.java.command=C:\\Program Files (x86)\\ArcSightSmartConnectors(VontuSyslog-DLP-Enforce)\\current\\jre\\bin\\java

wrapper.java.additional.1=-server

wrapper.java.additional.2=-XX:MaxNewSize=128m

wrapper.java.additional.3=-verbose:gc

wrapper.java.additional.4=-DARCSIGHT_HOME=../../../

wrapper.java.additional.5=-Djava.security.policy=../../../config/agent/agent.policy

wrapper.java.additional.6=-XX:+HeapDumpOnOutOfMemoryError

wrapper.java.additional.7=-XX:HeapDumpPath=../../../user/agent

wrapper.java.additional.8=-Dfile.encoding=CP1252

wrapper.java.additional.9=-Duser.language=ru

wrapper.java.additional.10=-Duser.region=RU

wrapper.ntservice.name=arc_ArcSight_VontuSyslog_DLP_Enforce

wrapper.ntservice.displayname=ArcSight ArcSight VontuSyslog-DLP-Enforce

wrapper.ntservice.description=ArcSight ArcSight VontuSyslog-DLP-Enforce

wrapper.ntservice.starttype=AUTO_START

# Add the NSS binaries/library folder into the Path

set.PATH=../../../bin/nss/win32%WRAPPER_PATH_SEPARATOR%%PATH%

Could any body help me in resolving my problem?

Labels (1)
0 Likes
Reply
9 Replies
Till
New Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

Can you specify what kind of encoding problems you see?

Where do you see them? Is this connector attached to logger or ESM?

What kind of characters is the device sending?

-Till

0 Likes
Reply
shshm Absent Member.
Absent Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

Hi, Till.

I see some hieroglyphs in HP ArcSight ESM Console. I am using HP ArcSight SmartConnector 5.1.4.5933 version.

Screenshot of console is attached to this reply.

0 Likes
Reply
Till
New Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

Are you expecting cyrillic characters?

To my knowledge cp1252 is a latin charset and would not encode cyrillic characters.

Till

0 Likes
Reply
shshm Absent Member.
Absent Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

Yes, i want to see cyrillic characters, and maybe i've made a mistake in encoding. I think it is CP1251, it doesn't support cyrillic characters too, does it?

0 Likes
Reply
Till
New Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

CP1251 sounds better.

So if you do your changes to the JVM encoding settings properly to Cp1251, does it work then?

0 Likes
Reply
shshm Absent Member.
Absent Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

I've got the same situation. nothing changed.

0 Likes
Reply
Till
New Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

could you send me what you recorded with netcat so I can have my own view on it?

0 Likes
Reply
shshm Absent Member.
Absent Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

You can find it in Attaches.

0 Likes
Reply
shshm Absent Member.
Absent Member.

Re: HP ArcSight Vontu Syslog SmartConnector Localization problem

Some of ivents look different, i've atached snreenshot with them.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.