Logger vs ESM - Data Availability Inconsistency
Wondering if anyone has seen this sort of behavior:
I have a connector (syslog - Juniper JUNOS) which feeds two destinations - an ESM [ArcSight Manager (encrypted)] and a Logger [ArcSight Logger SmartMessage (encrypted)]. The data being received by the ESM seems to be parsed differently than the data being received by the Logger.
What I have seen that has me scratching my head:
Logger has "sourceZoneExternalId" and "destinationZoneExternalId" populated (with the firewall security zone information).
If I check the same events on the ESM, "Source Zone External ID" and "Destination Zone External ID" are empty.
Connector Appliance 6.4 / Connector Version 126.96.36.19974.0
Has anyone seen this before? Does anyone know how to fix it? (I thought I would ask here before moving to support...)
You could give this a shot:
Runagentsetup > Modify destination settings (for both Logger and ESM) > Processing > Turbo mode
Check whether the value is the same for both. Setting Turbo mode to 'fastest' means that the smartconnector adds no additional values beyond what has already been collected in the logs. 'Faster' means that some values are added and 'complete' adds in the most information.
I'm not too clear but I believe ESM only parses certain fields that match the event schema, and Logger displays all fields. I checked the agent smartconnector config documentation for Juniper JUNOS and the field is not mapped by ESM:Keep in mind that the Juniper syslog connector is basically a subparser of the default syslog connector. I recently tried to parse a field from the log to a field in ESM. I was able to successfully map the field so it would display in ESM. Here is my post: Hope it will help you map that field that you need into ESM.
That's really interesting. I guess when I was setting this up, I made the assumption that the data sent to ESM was the same as the data being sent to Logger, just different transport methods. I'll take a peek at that other post to see if I can use the information. Thanks for that.
Of course, this is leading me to another question - when I set things up in the C-L-E configuration (Connector -> Logger -> ESM), as opposed to C-E-L, is this going to affect the data being sent to the ESM?