carlos.alcocer@1 Absent Member.
Absent Member.
1656 views

Subparser / parser Override Syslog S. Connector

Hi everyone,

I need a guide for syslog subparsers/parser overrides.

Maybe someone out there that can help me.

Cheers,

Labels (1)
0 Likes
Reply
10 Replies
nmbabkin1 Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Hello, Carlos!
There you go:

0 Likes
Reply
carlos.alcocer@1 Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Hi Nikolay,

Already reviewed the document, but I wonder if there is a little more information. Sometimes the experience of people in this forum really helps.

 

Regards,

0 Likes
Reply
nmbabkin1 Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Carlos,

sure, but it depends on what you really need to know about subparsers.

0 Likes
Reply
FrankV1 Super Contributor.
Super Contributor.

Re: Subparser / parser Override Syslog S. Connector

I found pretty useful. It explains the various methods for doing additional mappings, additional parsing etc. If you find a method there that you think suits your needs, then you can easily search protect724 for additonal info and experiences.

The main question is whether you want to do additional parsing on top of an existing syslog parser, or whether you want to write a full syslog flex connector. In the first case, check the link I mentioned above. The second option is simply a matter of writing the flex connector and deploying it to ARCSIGHT_HOME\user\agent\flexagent\syslog using the following name: vendor.subagent.sdkrfilereader.properties (as described in the flex connector development guide).

0 Likes
Reply
carlos.alcocer@1 Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Hi Frank,

Great document. I will be very helpful

Thnks!

0 Likes
Reply
sakalet Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Hi Carlos,

    Easy Step for write flex connector

    Step 1 : install SmartConnector => choose type flex connector file

    Step 2 : kept raw syslog file (.txt or .log) and run arcsight regex for develop

    Step 3 : you can write parser regex

           - write  Regex

Example

#[WebContainer : 4] DEBUG - 27 May 2014 07:28:12,608:com.eon.retail.app.security.LoginEONDAO - SQLUtil is closed.

#[WebContainer : 0] INFO  - 27 May 2014 07:28:07,133:com.eon.retail.app.security.EONLoginManager - Login Requested: .....Invalidating Current Session

regex=.*(INFO |DEBUG) - (\\d{2} \\S{3} \\d{4} \\d{2}\\:\\d{2}\\:\\d{2}),(\\S{3}):(.*)

           SmartConnector Flex Connector File => arcsight regex (auto regex not recommended)

           - Search Device Field ref.raw event

                  Device Vendor = ???

                  Device Product = ???

           - Select Field  name  target port  address  category  ...

           -.token = localValiable

Example

                       token.count=  

                       token[0].name=  

                       token[0].type=String|Integer|Long|Timestamp|IPAddress

            - event mapping  

Example

                       token[0].name=SSS  

                       token[0].type=String

event.deviceCustomString1=SSS

event.deviceHostName=__stringConstant("FWipIPST")                                 event.destinationHostName=__concatenate("FWipIPST","-",SSS) event.categorySignificance=__ifThenElse(SubAgent,"firewall:Deny",__stringConstant("/Information/Warning"),__stringConstant("/Normal")) event.deviceVendor=__stringConstant("Firebox") event.deviceProduct=__stringConstant("Watchguard")

             - Sub message

                    submessage.messageid.token=<A=s>

                    submessage.token=<B>

                    submessage.count=

submessage[0].messageid=<s>

submessage[0].pattern.count= <B>

submessage[0].pattern[0].regex=

submessage[0].pattern[0].fields=

submessage[0].pattern[0].extramappings=

     Step 4: Save file flex .sdkrfilereader.properties and copy to <ArcSight_Home>\current\user\agent\flexagent directory

0 Likes
Reply
sakalet Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

you can go to

0 Likes
Reply
ashis.sahoo@wns Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Hi All,

I have created a parser override  .properties file.  But I am not sure on the next steps. 

Should I just place the parser override in the FCP folder ??

Regards,

Sahoo

0 Likes
Reply
Highlighted
aaron.wayne@hpe1 Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

Ashis you will need to create a support ticket and ask support for the full path of where to place the override.  It is best to see the actual unobfuscated parser prior to creating a parser override.  You have to place the override in the correct path then you can tail -f agent.log and verify the override is being picked up by the parser upon restarting the agent.  The override needs to be in the exact path and named the same name as the original parser in order for the override to be detected by the agent framework.

0 Likes
Reply
ashis.sahoo@wns Absent Member.
Absent Member.

Re: Subparser / parser Override Syslog S. Connector

I extracted the AUP file in system and got the path.   I managed to override the parser however, the categorization on the new parser does not apply.  Guess I would have to override that too.

Thank you for all your help

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.