Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
grantsales
New Member.
1294 views

RAW Event Exporting

Jump to solution

I'm looking for some help on how to export the "RAW" non-cef event field fro the ArcSight Loggers.

I've been able to search this field, I can find the data I need, unfortunately the data I need isn't parsed into a CEF Field and my export isn't capturing this.

I can export "All Fields" and the data is showing up as additional data fields, however this is messing up my export format. I'd like a way to pick just the relevant fields that I know of and the last column to be the entire RAW event just in case something was in the log that didn't get parsed.

Has anyone been able to figure this out?

I try specifying a field set and have tried the following:
"RAW", this ends up empty

"raw event", this ends up empty

"Raw Event, this ends up empty

All other fields in my field set export without any issue.
This is the field set that I use and it works great for the identified fields:

Event Time,baseEventCount,Name,message,sourceAddress,sourceHostName,sourceUserName,sourceUserId,sourcePort,sourceNtDomain,destinationAddress,destinationHostName,destinationUserName,destinationUserId,destinationPort,destinationNtDomain,Device Vendor,Device Product,deviceEventClassId,deviceAction,deviceAddress,deviceEventCategory,deviceHostName,deviceReceiptTime,deviceCustomNumber1Label,deviceCustomNumber1,deviceCustomNumber2Label,deviceCustomNumber2,deviceCustomNumber3Label,deviceCustomNumber3,deviceCustomString1Label,deviceCustomString1,deviceCustomString2Label,deviceCustomString2,deviceCustomString3Label,deviceCustomString3,deviceCustomString4Label,deviceCustomString4,deviceCustomString5Label,deviceCustomString5,deviceCustomString6Label,deviceCustomString6,deviceCustomDate1Label,deviceCustomDate1,agentAddress,agentHostName,aid,agentType,categoryBehavior,categoryDeviceGroup,categoryObject,categoryOutcome,categorySignificance

Thanks,

Grant

Labels (3)
0 Likes
Reply
1 Solution

Accepted Solutions
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: RAW Event Exporting

Jump to solution

Hi Grant,

If ur Devices Sources config to Logger is Communicating through Smart Connector: U need to enable Preserve Raw Event in Connector to forward it to Logger.

If it is Direct Smart Msg It ll contain Normally in the message.

For Logger Fields in Single Column this might work:

  1. 1> Change ur System Fieldsets to Raw Event (Optional)
  2. 2> Run ur Query and In Export Click on All fields First and Uncheck it again and Keep “Raw Message” only and Click on Include CEF only also.

Untitled.png

View solution in original post

0 Likes
Reply
1 Reply
balahasan.v1 Acclaimed Contributor.
Acclaimed Contributor.

Re: RAW Event Exporting

Jump to solution

Hi Grant,

If ur Devices Sources config to Logger is Communicating through Smart Connector: U need to enable Preserve Raw Event in Connector to forward it to Logger.

If it is Direct Smart Msg It ll contain Normally in the message.

For Logger Fields in Single Column this might work:

  1. 1> Change ur System Fieldsets to Raw Event (Optional)
  2. 2> Run ur Query and In Export Click on All fields First and Uncheck it again and Keep “Raw Message” only and Click on Include CEF only also.

Untitled.png

View solution in original post

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.