Highlighted
jeffd1951 Absent Member.
Absent Member.
1072 views

How to create a Real-Time Alert in Logger

I am able to create a search for the events I want to alert on, but it does not work when I use it to create the alert arguments.

I’m on a ArcSight Logger running V5.1.

I’ve put the following item in the Alert and force it to occur but it does not fire. I find it in a regular manual search. I’ve checked and the email function is working.

deviceEventClassId CONTAINS "Security:560" AND fileName CONTAINS "cbtape" AND deviceSeverity CONTAINS "Audit_failure"

I’ve put in the above search terms but when I test it, I find the events in the search but no email alert is generated. I’m reading that I’m supposed to use “regular expressions”. But then is says, if I use regular expressions, it won't use the indexed fields and take more resources. I'm pretty lost on this and would like someone to point me in the right direction.

Thanks

Labels (2)
Tags (3)
0 Likes
Reply
4 Replies
ianfitz Outstanding Contributor.
Outstanding Contributor.

Re: How to create a Real-Time Alert in Logger

Hi there... Just tested in Logger v5.2...

So steps I took:

Go to Configuration->Alerts

Go to Syslog destinations

Add a destination (say, some host on your network that can run a UDP packet capture program).

Configure the Syslog destination (IP/port/UDP)

Start the capture program listening...

Go back to logger

Go to the Configuration->Alerts->Real Time Alerts

Click add to add a new one

I created an alert for any internal event from logger as follows.  In the query text I put:

CEF:0\|ArcSight\|Logger.*

Match Count: 1

Threshold: 10 secs

Syslog destination: the one I just created.

Save.

When you exit the save screen, the alert is disabled.  Click the enable icon (like a little no smoking sign doofer on the right of your new alert).

Its now enabled.

Fiddle about with logger for a few mins, login, logout etc.

You should see data streaming on your packet capture session.

Hopefully it works the same in 5.1 for you.

Cheers,

Ian.

0 Likes
Reply
ianfitz Outstanding Contributor.
Outstanding Contributor.

Re: How to create a Real-Time Alert in Logger

I should add that the regex you specify should be written the match the format of the Raw CEF event you can see in logger when you expand the event by clicking the little + sign on the left of the event of interest.  The "\" I specified in the previous post is to "escape" the pipe character so it doesnt become a regular regex OR.  Look at the CEF event you are looking at and write the regex to match.

As far as I can tell, alerts dont utilise indexes etc, they work in exactly the same way as Logger event forwarders but have a few more configurable parameters.

Cheers,

Ian.

0 Likes
Reply
jeffd1951 Absent Member.
Absent Member.

Re: How to create a Real-Time Alert in Logger

ianfitz

Thank you for your response, however, I'm in a all Windows shop and we do not have a system that we can direct a syslog to. I am trying to create a real-time email alert when specific events occur.

0 Likes
Reply
ianfitz Outstanding Contributor.
Outstanding Contributor.

Re: How to create a Real-Time Alert in Logger

Thats ok it doesnt need to be to a syslog daemon per se - thats just what ArcSight call their connectors that stream data to an IP/port.  If you have nc or netcat or tcpdump you can catch it, even on a Windows box, and the packet itself will just be the CEF message.... Anyway, the principle appleis regardless of platform... Hopefully with the notes above you will be able to work it out.

Cheers,

Ian.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.