Highlighted
Thomas69 Valued Contributor.
Valued Contributor.
227 views

problems parsing with smartconnector

Jump to solution

Hello all!

 

So my problem is, i am trying to build a smartconnector that gets the data (NSS VLOG logs) from syslog then sends the events to both arcsight and sentinel. So the smartconnector uses CEF fields, and im unable to parse namely the "initiatorUserDomain" into sentinel, since there is no such field i could assign the information to in the smartconnector parser. I put the appropriate information into "deviceCustomString5" in the smartconnector, and checked in sentinel control center how it processes the event, and i found it gets that value in the "cs5" field. i have exported the configuration of the connector, did a good look in the map files, but i cant seem to find a way to map customstring5 value to the initiatorUserDomain field. (tried as cef.extensions.cs5 in rec2evt.map, and also some other variations without success). Im not much of an expert in JS so i didnt touch those script files ;\.

Any kind of help is more than welcomed

best regards, Thomas

 

0 Likes
1 Solution

Accepted Solutions
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: problems parsing with smartconnector

Jump to solution

Check this post to see if it helps.

https://community.microfocus.com/t5/Sentinel-Tips-Information/Sentinel-customFieldMaps-ArcSight-Parsing-Universal-Common-Event/ta-p/2687531

 

I created specific vendor customFieldMaps files that matched the ProductName in Sentinel.

 

Could try:

~~Sentinel Event Field~~,~~Input Record Field~~
InitiatorUserDomain,cef.extensions.cs5

 

Or this which should work:

~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomString5,cef.extensions.cs5

2 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: problems parsing with smartconnector

Jump to solution

Check this post to see if it helps.

https://community.microfocus.com/t5/Sentinel-Tips-Information/Sentinel-customFieldMaps-ArcSight-Parsing-Universal-Common-Event/ta-p/2687531

 

I created specific vendor customFieldMaps files that matched the ProductName in Sentinel.

 

Could try:

~~Sentinel Event Field~~,~~Input Record Field~~
InitiatorUserDomain,cef.extensions.cs5

 

Or this which should work:

~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomString5,cef.extensions.cs5

Thomas69 Valued Contributor.
Valued Contributor.

Re: problems parsing with smartconnector

Jump to solution

Thanks for You helping me solve the problem. Tbh i was about to simply accept the fact that i will have to insert both Tree and Org ino src/dst username field.

All i had to do was create a map file in the main directory with (following the post u gave me)
~~Sentinel Event Field~~,~~Input Record Field~~
CEFCustomString4,cef.extensions.cs4
CEFCustomString5,cef.extensions.cs5

and after this i could actually map those custom fields for sentinel event fields in Rec2Evt.map.

This issue gave me a headache  and i really appreciate that You answered and helped me solve this.

Best regards, Thomas

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.