Highlighted
Absent Member.
Absent Member.
168 views

Solaris BSM parser override

Solaris 10 BSM Common Mappings to ArcSight ESM Fields: The device-specific field 'Path' is not mapped to any of the CEF fields.

Is it possible to write a little bit of additional parser in a similar way like it is done with WUC connector?

As I don't have a direct access to the connector installation I'd like to get some info from you guys before I start experimenting.

Regards

Labels (2)
0 Likes
Reply
4 Replies
Highlighted
Absent Member.
Absent Member.

Re: Solaris BSM parser override

Hi,

We have BSM installed on Solaris 8 and 10

We have seen that on Solaris 8 we are able to see the command (EXECVE) executed by a user and the arguments. But in Solaris 10 BSM SmartConnector we don't see this information

do you have same problem?

From configuration Guide we have seen that for Solaris 8 and 9 there are two fields (Device Custom String 1 and Device Custom String 2) that contains Arguments and ExecArgs.

For Solaris 10 this fields are not documented. Do you know if ArcSight continue supporting this type of events?

Regards

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Solaris BSM parser override

Hi.

Here is the same, for AUC_EXECVE the deviceCustromString2 is missing.

As long as I can add a additional parser as in WUC it's ok. If I can't, then there will be a problem. Support's heartbeat is still down on the matter.

Regards

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Solaris BSM parser override

Hi,

How can we develop an aditional mapping/parser to get this fields that appear on the raw event?

Regards

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Solaris BSM parser override

Jose,

this is the question that I sent to Support and I'm still waiting for a response.

Regards.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.