Highlighted
Absent Member.
Absent Member.
187 views

Logger vs ESM - Data Availability Inconsistency

Wondering if anyone has seen this sort of behavior:

I have a connector (syslog - Juniper JUNOS) which feeds two destinations - an ESM [ArcSight Manager (encrypted)] and a Logger [ArcSight Logger SmartMessage (encrypted)].  The data being received by the ESM seems to be parsed differently than the data being received by the Logger.

What I have seen that has me scratching my head:

Logger has "sourceZoneExternalId" and "destinationZoneExternalId" populated (with the firewall security zone information).

If I check the same events on the ESM, "Source Zone External ID" and "Destination Zone External ID" are empty.

Version Info

Connector Appliance 6.4 / Connector Version 5.2.7.6474.0

Logger 5.3

ESM 5.0.1

Has anyone seen this before?  Does anyone know how to fix it?  (I thought I would ask here before moving to support...)

Lawrence

Labels (4)
0 Likes
4 Replies
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

You could give this a shot:

Runagentsetup > Modify destination settings (for both Logger and ESM) > Processing > Turbo mode

Check whether the value is the same for both. Setting Turbo mode to 'fastest' means that the smartconnector adds no additional values beyond what has already been collected in the logs. 'Faster' means that some values are added and 'complete' adds in the most information.

Vijay

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks for the suggestion.

Both destinations should be configured identically, but I did double check the "Turbo Mode" and they're both set to "Complete".

0 Likes
Highlighted
Absent Member.
Absent Member.

I'm not too clear but I believe ESM only parses certain fields that match the event schema, and Logger displays all fields. I checked the agent smartconnector config documentation for Juniper JUNOS and the field is not mapped by ESM:Keep in mind that the Juniper syslog connector is basically a subparser of the default syslog connector. I recently tried to parse a field from the log to a field in ESM. I was able to successfully map the field so it would display in ESM. Here is my post: Hope it will help you map that field that you need into ESM.

Regards,

Aaron

0 Likes
Highlighted
Absent Member.
Absent Member.

That's really interesting.  I guess when I was setting this up, I made the assumption that the data sent to ESM was the same as the data being sent to Logger, just different transport methods.  I'll take a peek at that other post to see if I can use the information.  Thanks for that.

Of course, this is leading me to another question - when I set things up in the C-L-E configuration (Connector -> Logger -> ESM), as opposed to C-E-L, is this going to affect the data being sent to the ESM?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.